Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 13.0.54

Published: Fri, 03 Dec 2021 11:25:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The default value of form components was initialized incorrectly. This caused an error for form components that had a non-nullable data type (e.g., value types such as 'int' or 'bool') in cases where a default value was not assigned.
  • URL rewriting & SEO - Alternative URLs of a page didn't work correctly after the URL slug was changed for one of the page's ancestors in the content tree. The original cached alternative URLs were not invalidated correctly, so the problem persisted until the application's cache was cleared.


Hotfix 13.0.53

Published: Fri, 26 Nov 2021 15:35:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - SQL injection in certain macros - Certain online marketing macro methods contained an SQL injection vulnerability that could be abused by authenticated editors in the administration interface. Adding a malicious SQL query as a macro method parameter could allow unauthorized access to data or modifications in the database.
  • E-commerce - If a product had multiple culture versions, certain properties, such as the 'Product name', 'Description' and 'Short description' couldn't be cleared to an empty value for the non-default culture. The product incorrectly used the value from the default culture version instead of the empty value.


Hotfix 13.0.52

Published: Tue, 23 Nov 2021 08:48:33 GMT

Hotfix 13.0.52 is the Kentico Xperience 13 Refresh 4 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.
 
Be sure to check our Hotfix instructions before starting the hotfix process. It might save you some trouble afterwards.


Hotfix 13.0.51

Published: Fri, 12 Nov 2021 19:19:10 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The system's reCAPTCHA form component did not support communication via the TLS 1.3 protocol. If the live site application was configured to use TLS 1.3, forms containing the reCAPTCHA component could not be submitted and the component itself returned a 'The reCAPTCHA server is unavailable' validation error.
  • Licensing - Under rare circumstances, accessing the 'License keys' application resulted in an error, making it impossible to manage product licenses.
  • Unix/Linux - It was not possible to edit widget properties via the configuration dialog (cogwheel icon). Attempting to save any changes resulted in an HTTP 403 (Forbidden) error. This issue only occurred when the live site was deployed in Linux environments.


Hotfix 13.0.50

Published: Fri, 05 Nov 2021 10:59:55 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Content personalization - Dependency injection was not supported when developing personalization condition type classes for page builder widgets. After applying the hotfix, the constructor of condition type classes inheriting from the 'ConditionType' base class can have parameters (e.g., instances of services registered in the project's DI container). The hotfix does not add dependency injection support in controller classes that implement custom configuration dialogs for personalization conditions (inheriting from 'ConditionTypeController').
  • Search - It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.


Hotfix 12.0.97

Published: Fri, 05 Nov 2021 09:40:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Search - It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.


Hotfix 13.0.49

Published: Fri, 29 Oct 2021 08:20:42 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If a widget zone's name (identifier) was added or changed in the code of a page builder section, new pages with the section displayed an unnecessary warning, even though the page didn't contain any widgets that could be affected by the change. The problem occurred if the updated section was the default option for an editable region on the page or its template.
  • Page builder - Script tags placed in the markup of page and form builder components (for example widgets) were rendered without attributes in most cases when the component was displayed in the builder interface or the live version of the page. For example, this could break scripts using the ' type="module" ' attribute.
  • Staging - After a role with assigned users was updated and synchronized through staging, the event log on the target server contained confusing 'Remove user from role' entries. The problem only affected the event log and the users were not actually removed from the role.


Hotfix 13.0.48

Published: Fri, 22 Oct 2021 14:02:15 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - In ASP.NET Core projects, an error occurred when using dependency injection to get instances of services with a Scoped lifetime within the constructors of certain Xperience API classes. For example, the problem affected General selector data providers ('IGeneralSelectorDataProvider' implementations), Object selector Where condition providers, form components, page template or form component filters, and 'ICacheVaryBy' implementations.
  • E-commerce - Copying a product page with multiple culture versions incorrectly created a redundant copy of the related SKU object for every culture version. After applying the hotfix, only one SKU is created for the product page copy and shared by all culture versions.


Hotfix 13.0.47

Published: Fri, 08 Oct 2021 10:45:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Files - If a media library file or page attachment contained non-ASCII characters in its name, accessing the file through a permanent link ('~/getmedia' or '~/getattachment' URL) resulted in an error. The problem occurred only on sites using the ASP.NET Core development model.


Hotfix 13.0.46

Published: Fri, 01 Oct 2021 09:01:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - Under special circumstances, it was possible to select more items than allowed by the set limit in certain selectors for page builder component properties. The problem could occur if a user performed the selection while additional items were also being loaded for pagination in the selector.
  • Page builder - Image thumbnails in the 'Media files selector' for page builder component properties could overflow the borders of the selector field due to incorrect CSS z-index values.
  • Pages - Changes of the 'Show in menu' flag on the 'Properties > Navigation' tab of pages weren't saved. The issue occurred only after applying hotfix 13.0.39 or newer.
  • URL rewriting & SEO - When a page on an ASP.NET Core site was accessed under an alternative URL with the 'Alternative URLs mode' configured to 'Rewrite', any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '%3futm_source=xxx?utm_source=xxx') and a redirection loop occurred.


Hotfix 13.0.45

Published: Fri, 24 Sep 2021 10:14:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Media library - Accessing media library files using the direct file path did not work correctly in certain scenarios on sites using the ASP.NET Core development model. The issue occurred only after applying hotfix 13.0.44.
  • Page builder - The 'Page selector' dialog for page builder component properties had a potentially misleading tooltip for the button that selected all pages on the current level. The hotfix updates the tooltip to provide more accurate information.
  • Page builder - After a page chosen in the 'Page' or 'Path' selector components was deleted from the site, the selector automatically removed it without displaying any information. After applying the hotfix, the selectors display a "Missing page" warning in this scenario. The issue affected instances with hotfix 13.0.43 (Refresh 3), which allows selection of multiple pages for these selectors.
  • Search - On sites running behind a proxy server or another service that masks the application's original domain (e.g., Azure Application Gateway), the smart search crawler used for page types with a 'HTML output' search data source did not work correctly. JWT token validation failed, which resulted in logged errors and only content available for public users was indexed. The hotfix fixes the issue for ASP.NET Framework (MVC 5) sites. For ASP.NET Core sites, Forwarded Headers Middleware needs to be set up for the project. See the hotfix instructions for details.
  • User interface - If a macro was placed into the default value of a field with the 'Date & Time' data type in a module class (or its Alternative form), the value was not resolved correctly in the resulting administration interface form for users with a non-English UI culture.


Hotfix 12.0.96

Published: Mon, 20 Sep 2021 11:54:56 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.
  • E-mail engine - The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.
  • Form builder - The form component selection dialog in the form builder interface was positioned incorrectly when adding fields to very long forms that required scrolling.
  • Page builder - Saving a page with a large amount of page builder content could fail in certain cases. The problem was caused by deadlocks that could occur when saving large page builder configurations due to incorrect processing of asynchronous requests.


Hotfix 13.0.44

Published: Fri, 17 Sep 2021 11:09:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Flawed MIME type validation for uploaded files - Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.
  • Attachments - On ASP.NET Core sites, page attachments that were stored on the file system in a custom folder (configured as a virtual path in the 'Settings -> System -> Files -> Files folder' setting) were not loaded and returned a 404 Not Found error if the 'Settings -> System -> Performance -> Redirect files to disk' setting was enabled.
  • E-commerce - When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.
  • Sentiment analysis - When working with the marketing automation process generated by the sentiment analysis demo on the Dancing Goat sample site, an error occurred if the 'Analyze sentiment' custom step was manually added to the process. The error prevented further work in Design mode for the process.


Hotfix 13.0.43

Published: Tue, 14 Sep 2021 07:22:45 GMT

Hotfix 13.0.43 is the Kentico Xperience 13 Refresh 3 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.
 
Be sure to check our Hotfix instructions before starting the hotfix process. It might save you some trouble afterwards.


Hotfix 13.0.42

Published: Fri, 03 Sep 2021 08:56:11 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.
  • Security - The screen lock functionality did not activate if the screen lock interval was configured to a period longer than 15 minutes.
  • Unix/Linux - It was not possible to run Xperience-specific isolated integration tests (derived from the 'IsolatedIntegrationTests' class) in Linux environments due to database connection issues. The hotfix introduces a new 'CMSTestIsolatedAltConnectionString' configuration key that allows test projects to connect to databases running in Linux environments. See the hotfix instructions for details.


Hotfix 13.0.41

Published: Fri, 27 Aug 2021 10:15:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - Links generated by the 'Url.Action' and 'Html.ActionLink' methods on MVC sites had invalid URLs for pages that used page templates. The problem could occur if the methods were called directly in a page template view or in the code of a layout used by the page.
  • WYSIWYG editor - The Rich text editor for the Page Builder did not allow customization of the 'Insert Link' dialog. The 'linkAttributes' toolbar option was not reflected by the system.
  • WYSIWYG editor - If an image tag was manually inserted in the 'Code View' of the Rich text editor component, an error occurred when using the 'Replace' option for the image. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.


Hotfix 13.0.40

Published: Fri, 13 Aug 2021 09:19:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded as page attachments using the 'Attachment selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.
  • Files - An error occurred when retrieving files using Xperience handlers on ASP.NET Core sites with certain non-English default content cultures (e.g., Arabic). For example, the issue occurred for permanent URLs of media library files based on the 'getmedia' handler, such as '/getmedia/0140bccc-9d47-41ea-94a9-ca5d35b2964c/image.jpg'.
  • Form builder - The Form Builder was incorrectly configured to detect the default invariant culture when running on Linux environments. As a result, attempts to access the Form Builder interface resulted in an error in certain cases (ArgumentNullException). The issue occurred only after applying hotfix 13.0.14 or newer.
  • Sentiment analysis - The sentiment analysis feature did not work in cases where all wrapping HTML tags were removed from the content of a page field based on the 'Rich text editor' form control.
  • User interface - Radio button or checkbox lists in the administration interface were not styled correctly and could overflow if there was a very large number of options. For example, the problem could occur when displaying filters based on E-commerce product options.


Hotfix 13.0.39

Published: Fri, 06 Aug 2021 09:48:29 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - On instances with hotfix 13.0.25 or newer applied, A/B tests incorrectly logged visits of the tested page and conversions for visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). This could impact the conversion statistics of A/B tests in a misleading way. After applying the hotfix, visits and conversions are logged only for contacts included in the A/B test. If a visitor gives consent after viewing the tested page for the first time, visits and conversions are logged only after they revisit the page.
  • Form builder - When the 'Rich text editor' was assigned to a property of a form component or section, the editor interface incorrectly displayed the 'Select' option for links and 'Replace' option when editing images. These options are not supported in the form builder and caused an error when clicked. After applying the hotfix, the unsupported options are hidden when the rich text editor is used within the form builder.
  • Media library - The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded using the 'Media files selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.
  • UI personalization - If the UI personalization feature was enabled, the 'Properties > Navigation' tab in the Pages application was not accessible even if the corresponding element in the UI personalization settings was allowed for a user's role.


Hotfix 13.0.38

Published: Fri, 30 Jul 2021 12:14:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Dependency injection was not supported when developing filters for page templates or form components. After applying the hotfix, the constructor of filter classes implementing 'IPageTemplateFilter' or 'IFormComponentFilter' can have parameters (e.g., instances of services registered in the project's DI container). Such filters must be registered into the corresponding filter collection using the 'Add<FilterClassType>' method, with the filter class as the generic type parameter.
  • Hotfix - When installing hotfix 13.0.37, certain files were incorrectly marked and detected as customized, which prevented the hotfix from fully applying changes (manual resolving of the affected code was required). Apply hotfix 13.0.38 or newer to correctly fix issues from the previous hotfix.
  • Macros - Macro rules didn't work correctly if they had a parameter with a 'Field caption' that contained the '&' character. When such rules were added to a condition, the condition was only saved as macro code without the rule interface. Additionally, any macro rule translators registered to optimize the rule's performance were not applied.


Hotfix 12.0.95

Published: Thu, 29 Jul 2021 08:48:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.
  • Page builder - Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."


Hotfix 13.0.37

Published: Tue, 27 Jul 2021 17:05:47 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • On-line forms - When using the 'Display text' option in the 'After the form is submitted' setting on a form's 'General' tab with localized text, the entered text was incorrectly subjected to HTML encoding before being displayed on the live site (e.g., the '<' character was transformed into '&lt').
  • Page builder - Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."


Hotfix 13.0.35

Published: Fri, 16 Jul 2021 09:06:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.
  • Content personalization - The object and general selector components with multiple item selection did not work correctly in page builder widget personalization dialogs. If one of these selectors was assigned as the editing component of a personalization condition type property, selecting a value for the property resulted in a broken personalization dialog.
  • Pages - The 'Edit > Page' and ' Preview' tabs of the Pages application incorrectly required the 'Modify' permission for pages (i.e., the 'Content' module or specific page types). These tabs displayed blank content for users with only 'Read' and 'Browse tree' permissions.
  • Staging - Staging synchronization tasks for custom table items were always logged for all sites in the system, even when the 'CMSStagingLogGlobalObjectsOnlyForAssignedSites' configuration key was enabled. After applying the hotfix, the tasks are logged only for sites to which the parent custom table of the modified item is assigned.


Hotfix 13.0.34

Published: Fri, 09 Jul 2021 08:52:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - Dependency injection was not supported when developing data provider classes that load and prepare items for the General selector component. After applying the hotfix, the constructor of data provider classes implementing 'IGeneralSelectorDataProvider' can have parameters (e.g., instances of services registered in the project's DI container).
  • Salesforce - With replication of contacts into SalesForce leads enabled, data was not correctly transferred to SalesForce for merged contacts (when a merged contact was updated or a new contact was created and merged into an existing contact). The issue also incorrectly prevented such contacts from being replicated in the future.
  • WYSIWYG editor - When adding a link to images within the content of the Rich text editor component, the link URL could not be typed manually. Pasting the link or selecting an item to link worked correctly. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.
  • WYSIWYG editor - Editing and saving a link within the content of the Rich text editor component did not work unless the existing link was cleared beforehand. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.


Hotfix 13.0.33

Published: Fri, 02 Jul 2021 09:21:13 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Search - Azure search index update tasks generated by the system for stand-alone SKUs incorrectly contained data that could trigger an index update for a page with an identical ID as the stand-alone SKU. Such index updates were unnecessary, since stand-alone SKUs are not tied to pages and updates never lead to changes in any page objects.
  • URL rewriting & SEO - When a page was accessed under an 'Alternative URL' with the system configured to redirect to the main page URL, any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '?utm_source=xxx?utm_source=xxx').
  • WYSIWYG editor - Custom toolbar configurations for the Rich text editor were not applied when the component was used in a page builder widget. The problem occurred after applying hotfix 13.0.31 or 13.0.32 (Refresh 2).


Hotfix 13.0.32

Published: Fri, 25 Jun 2021 11:18:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Content editing - The button for performing sentiment analysis of rich text or text area fields didn't have a tooltip (on the Content tab of the Pages application).
  • Form controls - If an administration form field used the 'Calendar' form control and had a visibility condition depending on another field, datetime macros placed into the field's default value were incorrectly resolved into the English (en-US) culture instead of the user's selected UI culture. This could lead to inconsistencies or date format errors. For example, if a page type field used the Calendar form control, with the '{%DateTime.Now%}' macro as the default value, the problem could occur when a user with the 'English - United Kingdom' UI culture created a new page of the given type.
  • Media library - When the 'CMSMediaLibraryDisplayOnlyImportedFiles' configuration key (an internal key provided via support to specific customers) was set to true, ordering the list on the 'Files' tab of the media library editing interface based on the 'Modified' column resulted in an error.
  • Page builder - The 'Rich text editor' component displayed the preview of its content incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property). The issue only occurred after applying hotfix 13.0.31 (Refresh 2).
  • Page builder - If a page builder component property used the object or general selector with multiple item selection, unselecting an item triggered the evaluation of visibility conditions incorrectly, which resulted in a broken state of the selector. The issue occurred only after applying hotfix 13.0.25 or newer.
  • Web farms - In hosting environments that dynamically adjust the number of instances (e.g., autoscaling in Azure App Services), deactivated web farm servers always remained in the system with the 'Not responding' status for 24 hours. This could cause performance problems and heavy database load due to large numbers of unnecessary synchronization tasks generated after scaling down the number of servers. The hotfix adds the option to adjust the interval for which web farm servers stay in the 'Not responding' status before being deleted. To change the default interval of 24 hours, set the new 'CMSWebFarmNotRespondingInterval' configuration key to the required number of minutes, e.g., '60' for 1 hour.


Hotfix 13.0.31

Published: Tue, 22 Jun 2021 07:41:13 GMT

Hotfix 13.0.31 is the Kentico Xperience 13 Refresh 2 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.
 
Be sure to check our Hotfix instructions before starting the hotfix process. It might save you some trouble afterwards.


Hotfix 13.0.30

Published: Fri, 11 Jun 2021 10:25:51 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - On sites with a defined Administration domain alias, an error occurred when viewing parts of the administration based on virtual context URLs, for example the Preview mode of pages and the page builder or form builder interface. The issue only affected instances with hotfix 13.0.29 or newer applied.
  • URL rewriting & SEO - The 'Use URLs with trailing slash' setting for sites with content tree-based routing only applied to URLs generated for pages by the system. Page URLs with a different trailing slash state were not redirected based on the selected option.


Hotfix 13.0.29

Published: Fri, 04 Jun 2021 19:48:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security - The hotfix updates the authentication functionality for virtual context URLs used in the administration interface when previewing or editing live site pages. The minor changes ensure a higher level of security.
  • General - On instances containing multiple sites hosted on a single application with shared resources (e.g., using the same Azure Web Apps service or a shared application pool on an IIS server), switching between sites in the administration caused errors for virtual context URLs, for example when viewing pages in Preview mode, editing pages using the page builder, or editing forms in the Form builder interface.
  • WYSIWYG editor - Page fields based on the 'Rich text editor' form control were displayed incorrectly in cases where the field was disabled for editing. For example, the problem could occur on the 'Content' tab for pages under workflow with the 'Published' status.


Hotfix 13.0.27

Published: Fri, 28 May 2021 12:53:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Informative) - Self Cross-site scripting when submitting forms - A cross-site scripting vulnerability was present when submitting form data using the Form widget or on the Recorded data tab in the administration. Only the users submitting the form were affected by this vulnerability, therefore it is classified as self-XSS.
  • Unix/Linux - Attempting to retrieve files hosted on external storage via Xperience handlers (e.g., 'GetAzureFile.aspx') resulted in a HTTP 404 Not Found error. This issue only occurred on ASP.NET Core applications hosted on Linux.


Hotfix 13.0.26

Published: Fri, 21 May 2021 11:59:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Getting URLs for image variants of page attachments by calling the 'WithVariant' extension method for 'IPageAttachmentUrl' objects did not work, and the original unmodified attachment URL was returned.
  • URL rewriting & SEO - When using the former URLs functionality for pages on a site with content tree-based routing, the system did not preserve query string values when redirecting visitors from former URLs to the current ones.


Hotfix 13.0.25

Published: Fri, 14 May 2021 12:26:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - Pages with a running A/B test displayed variants inconsistently to visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). After applying the hotfix, the system assigns a page variant and stores it into the new 'CMSVarAB<name>' cookie even for visitors who are not tracked as contacts. This cookie is only used to keep content consistent and does not enable any tracking or logging of conversions.
  • General - The Xperience administration project contained an old version of the 'System.Text.Json' assembly in its Lib folder, which could cause assembly version conflicts. Applying the hotfix removes the obsolete assembly (the correct version is already provided via an installed NuGet package).
  • Page builder - Page builder component properties using the object or general selector with multiple item selection triggered the evaluation of visibility conditions after the selection of the first item. As a result, it was not possible to select multiple items and the dialog did not close properly. The issue occurred only after applying hotfix 13.0.23 or newer.
  • Pages - For pages with a name longer than the maximum allowed alias length of 50 characters, the system could in certain cases generate a page alias value ending with the replacement character for forbidden URL characters (a hyphen by default). This character was removed on subsequent saves of the page, which could lead to inconsistencies, for example when staging the page to another server. After applying the hotfix, page aliases are always generated without the replacement character at the end.