Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.36

Published: Fri, 23 Aug 2019 08:22:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - It was not possible to select or drag and drop media files from the file system after opening the media files selector modal dialog. The problem occurred when the 'allowedExtensions' property was not specified in the 'options' parameter object of the 'modalDialog.mediaFilesSelector.open(options)' function.
  • Modules - The 'Parent object type' property of the 'Roles' application's 'Edit role' UI element was incorrectly set to 'A/B test (om.abtest).' This could have caused errors when adding child UI elements to the 'Edit role' element. Applying the hotfix sets the 'Parent object type' property to '(automatic).' Note that this will also overwrite any customizations made to the 'Edit role' element in your project.
  • Web parts - Layout web parts located in a hidden web part zone were completely invisible in the editing interface. The editing handle of such web parts was hidden, and it was not possible to edit them.


Hotfix 12.0.35

Published: Fri, 16 Aug 2019 08:46:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - In certain cases, when utilizing the web part-based checkout process on Portal Engine sites, a previously selected shipping option incorrectly persisted over multiple orders, even though the orders did not contain any shippable items. Furthermore, when using custom shipping carrier providers, removing all shippable items from an order after a shipping option has been selected resulted in an error in certain cases.
  • E-commerce - The 'Customer detail' web part did not validate the uniqueness of entered email addresses for signed-in users. If the entered email address was already registered in the system (e.g., by another user), this could have resulted in two users with identical addresses (due to the way the system merged the submitted information with the internal user object).
  • General - When the Kentico application was running behind a proxy server or some other service that masks the application's original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the 'CMSUrlHost' web.config key (added by the hotfix) to the 'host' component of the proxy server's URL to ensure the application correctly generates request URLs. Please note that this configuration currently applies only for Portal Engine projects. See the hotfix instructions for more information.
  • MVC - Installing or updating the 'Kentico.AspNet.Mvc' NuGet package added an empty 'CMSConnectionString' <add> element to the 'connectionStrings' section in the web.config file, if it was not already present. This could cause errors in certain scenarios, for example when using an external connection string file specified via the 'configSource' attribute. The same problem could occur also for the 'appSettings' section with specified 'configSource', where the NuGet installation was adding the 'CMSHashStringSalt' app setting. Versions 12.0.35 and newer of the package no longer add the empty 'CMSConnectionString' and 'CMSHashStringSalt' elements when the 'configSource' attribute is present in their parent section.
  • In case of external config sources, developers need to manually specify the 'CMSConnectionString' connection string and the 'CMSHashStringSalt' app setting in the external config files.
  • Web farms - In special cases, the system accumulated redundant records by repeatedly failing to delete the records from the 'CMS_WebFarmTask' database table.


Hotfix 12.0.34

Published: Fri, 09 Aug 2019 11:14:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - When using the 'Image selection' and 'Media selection' form controls for the fields of pages under workflow, validation of the fields was executed incorrectly in certain cases. For example, if the field was set as required after an existing page was already published, the validation prevented users from subsequently creating a new version of the page.
  • Users - Kentico's ASP.NET Identity integration for MVC projects was tightly coupled with the default 'Kentico.Membership.User' class. Any changes to the 'User' class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the 'KenticoUserManager', 'KenticoUserStore', and 'KenticoSignInManager' types, which allow developers to seamlessly integrate custom user types derived from the default 'Kentico.Membership.User' class. See the hotfix instructions for more details.


Hotfix 12.0.33

Published: Fri, 02 Aug 2019 11:58:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - The 'New...' context menu in the Pages application incorrectly offered the option to create new pages as A/B test variants on MVC (content-only) sites. This option was not relevant, as the A/B testing feature on MVC sites does not use separate pages for variants.
  • General - It was not possible to precompile and publish (e.g., via the Visual Studio 'Publish' wizard) the Kentico project hotfixed to version 12.0.29 or higher due to incorrect file references. Applying the hotfix ensures no incorrect references exist in the project's .csproj file, allowing the publishing process to proceed without problems.
  • Hotfix - After applying hotfix 12.0.29 or newer to the Kentico setup files, new web projects created using the hotfixed installer did not run or compile correctly (due to missing updates of the NuGet package 'packages.zip' archive). To fix the problem, you need to apply hotfix 12.0.33 or newer to the setup files.


Hotfix 12.0.32

Published: Fri, 26 Jul 2019 11:46:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Medium) - User widget properties disclosing system object information - An authenticated user was able to view certain system objects through the live site widget properties dialog.
  • Campaigns - When a visitor arrived at a campaign's landing page via a link containing UTM parameters and accepted cookies via the 'Cookie law and tracking consent' web part, the visitor's cookie level and UTM parameters were not evaluated correctly. As a result, a page visit activity was not logged for the campaign's landing page.
  • Form engine - Forms that contained fields with conditions whose evaluation required a server postback (e.g., fields with 'Has depending fields' enabled) lost focus on the currently selected field after the form was reloaded. After applying the hotfix, field selection persists through postbacks.
  • Portal Engine - When a registered user tried adding or configuring widgets on the Portal Engine live site, changes made inside the 'User personalization' widget zones were not saved. You could experience this issue if you installed the hotfix version 12.0.30 or 12.0.31.
  • Search - The 'SearchParameters.PrepareForPages' method created a 'SearchParameters' object that forced a specific level of supported smart search syntax for search queries. This interfered with the smart search functionality, for example not allowing exact field searching to be performed (i.e., the syntax 'field:"searchquery"' was incorrectly processed). The hotfix introduces overloads for the 'SearchParameters.PrepareForPages' method that allow users to configure the levels of supported syntax per search request when creating the 'SearchParameters' object. See the hotfix instructions for details.


Hotfix 12.0.31

Published: Fri, 19 Jul 2019 11:50:29 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - It was incorrectly possible to add and delete page variants of running MVC A/B tests. Deleting page variants mid testing could lead to loss of data and result in skewed test results.


Hotfix 12.0.30

Published: Fri, 12 Jul 2019 10:41:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - When running an MVC site and the Kentico administration application on different domains, an error could occur when creating new pages of a content-only page type with the 'Show Page tab' setting enabled. The error was encountered if the 'UseResourceSharingWithAdministration()' feature was not enabled for the MVC application, and only after applying hotfix 12.0.29 (Service Pack). With hotfix 12.0.30 or newer, the cross-origin resource sharing feature is automatically enabled for all MVC projects.
  • Page builder - Pages created using the MVC page builder (i.e. containing sections and widgets) displayed an error on the live site if the MVC application's route collection did not contain a general default route with a controller and action parameter. The problem occurred after applying hotfix 12.0.29 (Service Pack).
  • Portal Engine - When adding or configuring editor widgets in the Pages application on Portal Engine sites, changes made in the widget properties dialog were not saved in scenarios where the user opened the live site in another browser tab.
  • REST - An error occurred when using the REST service to set the value of a column with the GUID data type if the request data was in the JSON format.
  • Workflow - An error occurred when trying to restore pages under certain types of advanced workflow from the recycle bin (if the workflow utilized wait steps or step timeouts). If the issue persists for pages created before the hotfix was applied, you need to manually delete scheduled tasks related to the given workflows in the 'Scheduled tasks' application on the 'System tasks' tab before restoring the pages.


Hotfix 12.0.29

Published: Wed, 26 Jun 2019 13:32:26 GMT

Hotfix 12.0.29 is the Kentico 12 Service Pack, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Service Pack release notes.
 
Be sure to check the Hotfix instructions for information about correctly applying the service pack.


Hotfix 12.0.28

Published: Fri, 21 Jun 2019 11:23:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - If checking of page permissions was enabled for attachment files ('System -> Files -> Check files permission' setting), the result of the permission evaluation was cached incorrectly. This could cause users to incorrectly be allowed (or unable) to access attachments based on the cached result.
  • Media library - The system incorrectly retrieved and displayed the file size value as 0B for very large media library files (for example in the 'Media libraries' application and media selection dialogs).


Hotfix 12.0.27

Published: Fri, 14 Jun 2019 13:03:10 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - If an email widget used in a marketing email was deleted, the email was then modified and saved, and the widget was later restored, it was not possible to send out the marketing email (the system did not detect the restoration of the widget and update the email to a sendable state).
  • On-line marketing - On sites built using the MVC development model, 'Page visit' and 'Landing page' activities were incorrectly logged when viewing pages in the 'Pages' application of the administration interface. After applying the hotfix, page related activities are only logged on the live site.


Hotfix 12.0.26

Published: Fri, 07 Jun 2019 19:03:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Import/Export - When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new 'Rebuild site search indexes' setting in the 'Objects selection' step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.
  • MVC - Properties of page and form builder components annotated with the 'EditingComponent' attribute were incorrectly validated against the database column size constraints specified in the constructor of the corresponding editing component's properties class. After applying the hotfix, the database column size constraint validation is performed only when submitting values via a form composed using the 'Form builder.'
  • MVC - The 'Insert link' dialog, available in the editor for rich text fields on the 'Content' tab of content-only pages, incorrectly created page links with absolute URLs, including the site's scheme, domain and application path (i.e. the site's 'Presentation URL'). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs ('~/<link path>'). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). See the hotfix instructions for more information.
  • Page builder - If content added through the page builder (for example using a custom text editor widget) included URLs in virtual relative format, the URLs became broken after resaving the content on the 'Page' tab in the 'Pages' application. Relative URLs ('~/<resource path>') are resolved into virtual context URLs ('/cmsctx/.../<resource path>') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, virtual context URLs are reversed back into relative URLs before being saved. The fix does not address any existing broken links - these need to be fixed and resaved manually.


Hotfix 12.0.25

Published: Fri, 31 May 2019 13:36:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - The 'Insert macro' dialog within the plain text editing interface for marketing emails did not offer context specific objects (for example 'Recipient' or 'Email'). The problem occurred only after applying hotfix 12.0.17 or newer.
  • Email marketing - When a marketing email in an email feed of the 'Email campaign' type contained the 'IsInPersona' macro and was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group. The previously released 12.0.23 hotfix fixed the same issue, but only for email feeds of the 'Newsletter' type.
  • Page builder - If the default 'Checkbox' component was assigned to a property of a personalization condition type (using the 'EditingComponent' attribute), the checkbox did not work correctly in the resulting configuration dialog when the condition type was selected while personalizing a page builder widget.
  • Reporting - If a user subscribed to an entire report that had parameters and a filter, the resulting report status emails did not contain any data.


Hotfix 12.0.24

Published: Fri, 24 May 2019 10:13:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - If a form field used the 'HTML5 input' form control, the 'Enabled condition' advanced field setting did not work. Such fields were always enabled even if the specified condition was not fulfilled.
  • Page builder - If a script or other resource was linked in the markup of an MVC page using a protocol-relative URL, the link URL was incorrectly modified and became broken when the page was viewed in preview mode or the page builder interface within the Pages application.
  • Web parts - Custom filters created for the 'Filter' web part were not loaded correctly on precompiled sites.


Hotfix 12.0.23

Published: Fri, 17 May 2019 13:51:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Controls - The '~/CMSModules/Content/FormControls/Documents/SelectPath.ascx' control's selection dialog did not work if the control was placed into the markup of a web form or user control and its 'EnableSiteSelection' property was set as an attribute.
  • E-commerce - Payments using the default Authorize.Net provider could fail due to an exceeded maximum length of requests generated by the system (in cases where the payment data contained long parameters, such as the names of shipping options, etc.). Additionally, the system did not resolve localization expressions in the parameters of the sent payment data.
  • Email marketing - When a marketing email containing the 'IsInPersona' macro was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group.
  • Staging - Staging service authentication using X.509 certificates did not work on instances hosted as an Azure App Service (the system worked with a different certificate store location than the one used by certificates imported into Azure).


Hotfix 12.0.22

Published: Fri, 10 May 2019 15:06:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system did not send password reset emails in cases where the user's email address matched the address of another user account that was disabled.
  • E-commerce - If a customer set both the shipping and billing address during checkout on a Portal Engine site (via a page containing the 'Customer detail' and 'Customer address' web parts), and then later returned to the given checkout step to update one of the addresses, the changes were not saved.
  • Media library - When the 'URL selector' form control was configured to display the Media tab and a media library 'Starting path' was also specified, it was not possible to select media files from subfolders if the given library was mapped to Azure storage.


Hotfix 12.0.21

Published: Fri, 03 May 2019 10:22:37 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - Double opt-in, subscription, and unsubscription confirmation emails were sent with 'low' priority, which could cause long delays for subscribers on instances that sent out a large number of other emails. After applying the hotfix, the priority of such confirmation emails is set to 'normal'.
  • Form controls - When the 'Allow switch sides' setting was cleared and a 'Relationship name' was specified in the advanced editing control settings of a page type field that used the 'Related pages' form control, the resulting field did not allow adding of related pages from sites other than the current site.
  • Integration bus - When utilizing a web farm setup together with the integration bus, a single integration task could be processed by multiple web farm servers (usually when the environment experienced heavy load). For example, this could result in duplicates of the processed object being created in the connected external system.


Hotfix 11.0.49

Published: Fri, 26 Apr 2019 10:27:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.


Hotfix 12.0.20

Published: Fri, 26 Apr 2019 09:01:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Portal Engine - When a page with a workflow applied contained an 'Editable text' web part, the latest version of the web part's content was not displayed in 'Preview' mode when viewing child pages which inherited the original page's content (via page nesting and the 'Page placeholder' web part).
  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.
  • Translation services - The hotfix updates the Microsoft Translator Text API from Version 2 (V2) to Version 3 (V3), because V2 will be discontinued on April 30, 2019. In addition, the 'Speak' method of the 'MicrosoftTranslatorService' class, which could be used in custom code for text-to-speech functionality, is no longer supported after applying the hotfix.


Hotfix 12.0.19

Published: Thu, 18 Apr 2019 09:43:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.


Hotfix 12.0.18

Published: Fri, 12 Apr 2019 08:54:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • On-line forms - When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.


Hotfix 10.0.52

Published: Wed, 10 Apr 2019 09:03:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.17

Published: Fri, 05 Apr 2019 12:23:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.
  • Form builder - The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.
  • Form controls - The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.
  • Macros - If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.


Hotfix 11.0.48

Published: Thu, 04 Apr 2019 14:17:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.16

Published: Fri, 29 Mar 2019 07:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The 'ResourceStringInfoProvider.TranslationExists' method returned an incorrect result in certain cases (after the system's cache was cleared).
  • Campaigns - When running a campaign on an MVC site, the value of the 'utm_content' parameter used in the campaign's links was not logged correctly for conversions or displayed in the campaign's reports.
  • Dialogs - When calling the 'modalDialog' JavaScript function in custom client code within the administration interface, the function's 'otherParams' parameter was ignored in certain cases (in locations where the system opened an advanced modal dialog). As a result, developers could not control parameters such as the resizability of the opened dialog.
  • Page builder - When using custom form components in the configuration dialog for page builder widget properties, scrolling functionality was incorrectly disabled. As a result, form components with scrollable elements (e.g. advanced drop-down options) did not work when used to edit widget properties.


Hotfix 12.0.15

Published: Fri, 22 Mar 2019 09:58:05 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes
  • E-commerce - If the product variant editing form (i.e. the 'Variant properties' alternative form of the 'SKU 'class) was customized to display the 'Image' field (SKUImagePath), the field's default 'Product image selector' form control did not correctly save information about uploaded image metafiles. This resulted in incorrect behavior, for example when displaying or staging the variant and its image.
  • Form controls - The 'SKU selector' form control did not work if its 'Allow multiple choice' setting was enabled.
  • General - Processing of requests containing a query string parameter without a value, such as '?param', could result in an error in certain scenarios. For example, the errors could occur for requests that loaded files and other resources.
  • General export - When using the Advanced export feature for contacts in the 'Contact groups' application with the 'Export raw database data' option selected, it was not possible to select custom contact fields for the export.
  • Web parts & controls - An error occurred when attempting to select a file in the 'Linked file' property of the 'Javascript' web part if another file was already specified.


Hotfix 12.0.14

Published: Fri, 15 Mar 2019 13:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - The hotfix introduces additional API that enables more extensive markup customization options for forms built using the 'Form builder' feature. See the hotfix instructions for details.
  • Pages - When deleting a linked page from the content tree in the 'Pages' application, it was not possible to select an alternative page to which old URLs could be redirected.
  • Reporting - If a report had parameters with defined validation rules, the validation did not work when the report and its parameter filter were displayed on a website page using a reporting web part or widget.
  • Web parts - Tabs displayed by the 'Tabs layout' web part were not hidden correctly in certain cases when their content was empty, even when the web part's 'Hide empty tabs' property was enabled. For example, the problem occurred if a tab contained a Repeater web part with an empty data source and the 'Hide if no record found' property enabled.


Hotfix 12.0.13

Published: Fri, 08 Mar 2019 09:47:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Event management - All event attendees stored for an event, represented as a page of the 'Event (booking system)' page type, were removed when one of the page's culture versions was deleted. After applying the hotfix, event attendees are removed only after the deletion of the event's last remaining culture version.
  • Form builder - The system allowed invalid characters as part of the 'Name' property of form fields (adjustable via the Properties tab of the MVC Form builder). After applying the hotfix, the 'Name' property must begin with a letter or an underscore ('_') character and may contain only letters, numbers, and additional underscore characters.
  • MVC - When publishing an MVC live-site application (e.g., via the Visual Studio 'Publish' wizard), the publishing process did not copy certain .NET Resource (.resx) files. This resulted in unresolved resource strings in parts of the published application. The problem occurred when using versions 12.0.1 to 12.0.12 of the 'Kentico.AspNet.Mvc' NuGet package. From package version 12.0.13, all necessary resource files are copied during the publishing process.
  • MVC - If an MVC widget or form component was registered with an identifier containing a certain suffix (e.g. matching a blocked IIS extensions such as '.resources' or '.sitemap'), an error occurred when the item was added to the page or form builder.
  • REST - Authentication of requests to the Kentico REST service failed if the provided password contained the colon character (':').
  • Web analytics - The 'Seznam' search engine defined in the 'Search Engines' application had an obsolete domain configured in its 'Domain rule' property. As a result, visitors from the Seznam search engine (seznam.cz) were not being tracked accurately. After applying the hotfix, the system correctly tracks all visitors that access a site from the 'Seznam' search engine.


Hotfix 12.0.12

Published: Fri, 01 Mar 2019 12:19:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - If a tax exemption for customers was created by registering a custom 'ICustomerTaxClassService' implementation, it was only applied for products with a tax class that had the 'Zero tax if tax ID is supplied' property enabled. After applying the hotfix, the property no longer affects custom tax exemptions (unless checked in the code of the custom implementation).
  • Email marketing - The system did not send confirmation emails to recipients who unsubscribed from a single email feed of the 'Email campaign' type. Additionally, confirmation emails were incorrectly sent in certain cases after unsubscribing from all email feeds (email campaigns and newsletters), which is not intended behavior.
  • Form components - The hotfix removes the 500 character restriction placed on the 'Text area' form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. However, note that this change is only reflected in form fields created after the hotfix was applied. See the hotfix instructions for details.
  • Page builder - Calling the 'GetPage' method in the Index action of an MVC widget without any properties defined resulted in an error when the widget was displayed.


Hotfix 12.0.11

Published: Fri, 22 Feb 2019 12:33:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - A validation error occurred when attempting to save a field with the 'Form field selector' form control if the control's 'Field data type' setting was set to the 'All' option.
  • MVC - Page builder and preview functionality did not work on pages whose controller and action was accessed through another action using an MVC redirect method (for example 'RedirectToAction').
  • Page builder - Widgets or sections that utilized actions other than 'Index' (for example the submit action of the default 'Form' widget) did not work correctly in certain scenarios. The problem could occur if the MVC application's route collection did not contain a general route with a controller and action parameter, or if a different route with a custom controller and the 'Index' action matched the page builder URLs.
  • URL rewriting & SEO - If the default CSRF security token functionality was disabled using the 'CMSEnableCsrfProtection' web.config key, custom 404 error handling pages assigned through the 'Page not found URL' setting were not displayed when a POST request targeted a non-existing URL (by default the standard IIS 404 page was displayed instead).


Hotfix 12.0.10

Published: Fri, 15 Feb 2019 10:46:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - After installing or updating the 'Kentico.AspNet.Mvc' NuGet package, the 'CMSApplicationModule' module in the MVC project's web.config file did not contain the 'preCondition' attribute, which could have a negative performance impact on the application. Versions 12.0.10 and newer of the package ensure that the preCondition is correctly set to 'managedHandler'.