Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.28

Published: Fri, 21 Jun 2019 11:23:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - If checking of page permissions was enabled for attachment files ('System -> Files -> Check files permission' setting), the result of the permission evaluation was cached incorrectly. This could cause users to incorrectly be allowed (or unable) to access attachments based on the cached result.
  • Media library - The system incorrectly retrieved and displayed the file size value as 0B for very large media library files (for example in the 'Media libraries' application and media selection dialogs).


Hotfix 12.0.27

Published: Fri, 14 Jun 2019 13:03:10 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - If an email widget used in a marketing email was deleted, the email was then modified and saved, and the widget was later restored, it was not possible to send out the marketing email (the system did not detect the restoration of the widget and update the email to a sendable state).
  • On-line marketing - On sites built using the MVC development model, 'Page visit' and 'Landing page' activities were incorrectly logged when viewing pages in the 'Pages' application of the administration interface. After applying the hotfix, page related activities are only logged on the live site.


Hotfix 12.0.26

Published: Fri, 07 Jun 2019 19:03:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Import/Export - When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new 'Rebuild site search indexes' setting in the 'Objects selection' step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.
  • MVC - Properties of page and form builder components annotated with the 'EditingComponent' attribute were incorrectly validated against the database column size constraints specified in the constructor of the corresponding editing component's properties class. After applying the hotfix, the database column size constraint validation is performed only when submitting values via a form composed using the 'Form builder.'
  • MVC - The 'Insert link' dialog, available in the editor for rich text fields on the 'Content' tab of content-only pages, incorrectly created page links with absolute URLs, including the site's scheme, domain and application path (i.e. the site's 'Presentation URL'). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs ('~/<link path>'). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). See the hotfix instructions for more information.
  • Page builder - If content added through the page builder (for example using a custom text editor widget) included URLs in virtual relative format, the URLs became broken after resaving the content on the 'Page' tab in the 'Pages' application. Relative URLs ('~/<resource path>') are resolved into virtual context URLs ('/cmsctx/.../<resource path>') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, virtual context URLs are reversed back into relative URLs before being saved. The fix does not address any existing broken links - these need to be fixed and resaved manually.


Hotfix 12.0.25

Published: Fri, 31 May 2019 13:36:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - The 'Insert macro' dialog within the plain text editing interface for marketing emails did not offer context specific objects (for example 'Recipient' or 'Email'). The problem occurred only after applying hotfix 12.0.17 or newer.
  • Email marketing - When a marketing email in an email feed of the 'Email campaign' type contained the 'IsInPersona' macro and was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group. The previously released 12.0.23 hotfix fixed the same issue, but only for email feeds of the 'Newsletter' type.
  • Page builder - If the default 'Checkbox' component was assigned to a property of a personalization condition type (using the 'EditingComponent' attribute), the checkbox did not work correctly in the resulting configuration dialog when the condition type was selected while personalizing a page builder widget.
  • Reporting - If a user subscribed to an entire report that had parameters and a filter, the resulting report status emails did not contain any data.


Hotfix 12.0.24

Published: Fri, 24 May 2019 10:13:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - If a form field used the 'HTML5 input' form control, the 'Enabled condition' advanced field setting did not work. Such fields were always enabled even if the specified condition was not fulfilled.
  • Page builder - If a script or other resource was linked in the markup of an MVC page using a protocol-relative URL, the link URL was incorrectly modified and became broken when the page was viewed in preview mode or the page builder interface within the Pages application.
  • Web parts - Custom filters created for the 'Filter' web part were not loaded correctly on precompiled sites.


Hotfix 12.0.23

Published: Fri, 17 May 2019 13:51:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Controls - The '~/CMSModules/Content/FormControls/Documents/SelectPath.ascx' control's selection dialog did not work if the control was placed into the markup of a web form or user control and its 'EnableSiteSelection' property was set as an attribute.
  • E-commerce - Payments using the default Authorize.Net provider could fail due to an exceeded maximum length of requests generated by the system (in cases where the payment data contained long parameters, such as the names of shipping options, etc.). Additionally, the system did not resolve localization expressions in the parameters of the sent payment data.
  • Email marketing - When a marketing email containing the 'IsInPersona' macro was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group.
  • Staging - Staging service authentication using X.509 certificates did not work on instances hosted as an Azure App Service (the system worked with a different certificate store location than the one used by certificates imported into Azure).


Hotfix 12.0.22

Published: Fri, 10 May 2019 15:06:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system did not send password reset emails in cases where the user's email address matched the address of another user account that was disabled.
  • E-commerce - If a customer set both the shipping and billing address during checkout on a Portal Engine site (via a page containing the 'Customer detail' and 'Customer address' web parts), and then later returned to the given checkout step to update one of the addresses, the changes were not saved.
  • Media library - When the 'URL selector' form control was configured to display the Media tab and a media library 'Starting path' was also specified, it was not possible to select media files from subfolders if the given library was mapped to Azure storage.


Hotfix 12.0.21

Published: Fri, 03 May 2019 10:22:37 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - Double opt-in, subscription, and unsubscription confirmation emails were sent with 'low' priority, which could cause long delays for subscribers on instances that sent out a large number of other emails. After applying the hotfix, the priority of such confirmation emails is set to 'normal'.
  • Form controls - When the 'Allow switch sides' setting was cleared and a 'Relationship name' was specified in the advanced editing control settings of a page type field that used the 'Related pages' form control, the resulting field did not allow adding of related pages from sites other than the current site.
  • Integration bus - When utilizing a web farm setup together with the integration bus, a single integration task could be processed by multiple web farm servers (usually when the environment experienced heavy load). For example, this could result in duplicates of the processed object being created in the connected external system.


Hotfix 11.0.49

Published: Fri, 26 Apr 2019 10:27:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.


Hotfix 12.0.20

Published: Fri, 26 Apr 2019 09:01:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Portal Engine - When a page with a workflow applied contained an 'Editable text' web part, the latest version of the web part's content was not displayed in 'Preview' mode when viewing child pages which inherited the original page's content (via page nesting and the 'Page placeholder' web part).
  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.
  • Translation services - The hotfix updates the Microsoft Translator Text API from Version 2 (V2) to Version 3 (V3), because V2 will be discontinued on April 30, 2019. In addition, the 'Speak' method of the 'MicrosoftTranslatorService' class, which could be used in custom code for text-to-speech functionality, is no longer supported after applying the hotfix.


Hotfix 12.0.19

Published: Thu, 18 Apr 2019 09:43:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.


Hotfix 12.0.18

Published: Fri, 12 Apr 2019 08:54:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • On-line forms - When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.


Hotfix 10.0.52

Published: Wed, 10 Apr 2019 09:03:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.17

Published: Fri, 05 Apr 2019 12:23:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.
  • Form builder - The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.
  • Form controls - The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.
  • Macros - If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.


Hotfix 11.0.48

Published: Thu, 04 Apr 2019 14:17:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.16

Published: Fri, 29 Mar 2019 07:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The 'ResourceStringInfoProvider.TranslationExists' method returned an incorrect result in certain cases (after the system's cache was cleared).
  • Campaigns - When running a campaign on an MVC site, the value of the 'utm_content' parameter used in the campaign's links was not logged correctly for conversions or displayed in the campaign's reports.
  • Dialogs - When calling the 'modalDialog' JavaScript function in custom client code within the administration interface, the function's 'otherParams' parameter was ignored in certain cases (in locations where the system opened an advanced modal dialog). As a result, developers could not control parameters such as the resizability of the opened dialog.
  • Page builder - When using custom form components in the configuration dialog for page builder widget properties, scrolling functionality was incorrectly disabled. As a result, form components with scrollable elements (e.g. advanced drop-down options) did not work when used to edit widget properties.


Hotfix 12.0.15

Published: Fri, 22 Mar 2019 09:58:05 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes
  • E-commerce - If the product variant editing form (i.e. the 'Variant properties' alternative form of the 'SKU 'class) was customized to display the 'Image' field (SKUImagePath), the field's default 'Product image selector' form control did not correctly save information about uploaded image metafiles. This resulted in incorrect behavior, for example when displaying or staging the variant and its image.
  • Form controls - The 'SKU selector' form control did not work if its 'Allow multiple choice' setting was enabled.
  • General - Processing of requests containing a query string parameter without a value, such as '?param', could result in an error in certain scenarios. For example, the errors could occur for requests that loaded files and other resources.
  • General export - When using the Advanced export feature for contacts in the 'Contact groups' application with the 'Export raw database data' option selected, it was not possible to select custom contact fields for the export.
  • Web parts & controls - An error occurred when attempting to select a file in the 'Linked file' property of the 'Javascript' web part if another file was already specified.


Hotfix 12.0.14

Published: Fri, 15 Mar 2019 13:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - The hotfix introduces additional API that enables more extensive markup customization options for forms built using the 'Form builder' feature. See the hotfix instructions for details.
  • Pages - When deleting a linked page from the content tree in the 'Pages' application, it was not possible to select an alternative page to which old URLs could be redirected.
  • Reporting - If a report had parameters with defined validation rules, the validation did not work when the report and its parameter filter were displayed on a website page using a reporting web part or widget.
  • Web parts - Tabs displayed by the 'Tabs layout' web part were not hidden correctly in certain cases when their content was empty, even when the web part's 'Hide empty tabs' property was enabled. For example, the problem occurred if a tab contained a Repeater web part with an empty data source and the 'Hide if no record found' property enabled.


Hotfix 12.0.13

Published: Fri, 08 Mar 2019 09:47:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Event management - All event attendees stored for an event, represented as a page of the 'Event (booking system)' page type, were removed when one of the page's culture versions was deleted. After applying the hotfix, event attendees are removed only after the deletion of the event's last remaining culture version.
  • Form builder - The system allowed invalid characters as part of the 'Name' property of form fields (adjustable via the Properties tab of the MVC Form builder). After applying the hotfix, the 'Name' property must begin with a letter or an underscore ('_') character and may contain only letters, numbers, and additional underscore characters.
  • MVC - When publishing an MVC live-site application (e.g., via the Visual Studio 'Publish' wizard), the publishing process did not copy certain .NET Resource (.resx) files. This resulted in unresolved resource strings in parts of the published application. The problem occurred when using versions 12.0.1 to 12.0.12 of the 'Kentico.AspNet.Mvc' NuGet package. From package version 12.0.13, all necessary resource files are copied during the publishing process.
  • MVC - If an MVC widget or form component was registered with an identifier containing a certain suffix (e.g. matching a blocked IIS extensions such as '.resources' or '.sitemap'), an error occurred when the item was added to the page or form builder.
  • REST - Authentication of requests to the Kentico REST service failed if the provided password contained the colon character (':').
  • Web analytics - The 'Seznam' search engine defined in the 'Search Engines' application had an obsolete domain configured in its 'Domain rule' property. As a result, visitors from the Seznam search engine (seznam.cz) were not being tracked accurately. After applying the hotfix, the system correctly tracks all visitors that access a site from the 'Seznam' search engine.


Hotfix 12.0.12

Published: Fri, 01 Mar 2019 12:19:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - If a tax exemption for customers was created by registering a custom 'ICustomerTaxClassService' implementation, it was only applied for products with a tax class that had the 'Zero tax if tax ID is supplied' property enabled. After applying the hotfix, the property no longer affects custom tax exemptions (unless checked in the code of the custom implementation).
  • Email marketing - The system did not send confirmation emails to recipients who unsubscribed from a single email feed of the 'Email campaign' type. Additionally, confirmation emails were incorrectly sent in certain cases after unsubscribing from all email feeds (email campaigns and newsletters), which is not intended behavior.
  • Form components - The hotfix removes the 500 character restriction placed on the 'Text area' form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. However, note that this change is only reflected in form fields created after the hotfix was applied. See the hotfix instructions for details.
  • Page builder - Calling the 'GetPage' method in the Index action of an MVC widget without any properties defined resulted in an error when the widget was displayed.


Hotfix 12.0.11

Published: Fri, 22 Feb 2019 12:33:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - A validation error occurred when attempting to save a field with the 'Form field selector' form control if the control's 'Field data type' setting was set to the 'All' option.
  • MVC - Page builder and preview functionality did not work on pages whose controller and action was accessed through another action using an MVC redirect method (for example 'RedirectToAction').
  • Page builder - Widgets or sections that utilized actions other than 'Index' (for example the submit action of the default 'Form' widget) did not work correctly in certain scenarios. The problem could occur if the MVC application's route collection did not contain a general route with a controller and action parameter, or if a different route with a custom controller and the 'Index' action matched the page builder URLs.
  • URL rewriting & SEO - If the default CSRF security token functionality was disabled using the 'CMSEnableCsrfProtection' web.config key, custom 404 error handling pages assigned through the 'Page not found URL' setting were not displayed when a POST request targeted a non-existing URL (by default the standard IIS 404 page was displayed instead).


Hotfix 12.0.10

Published: Fri, 15 Feb 2019 10:46:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - After installing or updating the 'Kentico.AspNet.Mvc' NuGet package, the 'CMSApplicationModule' module in the MVC project's web.config file did not contain the 'preCondition' attribute, which could have a negative performance impact on the application. Versions 12.0.10 and newer of the package ensure that the preCondition is correctly set to 'managedHandler'.


Hotfix 12.0.9

Published: Fri, 08 Feb 2019 09:09:31 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Products that use inventory tracking and have the 'Sell only if items available' property enabled may in some cases be sold even when the inventory is depleted if multiple customers place orders concurrently. After applying the hotfix, the system logs a warning into the event log if such a situation occurs. Additionally, the hotfix introduces the 'CMSUseStrictInventoryManagement' web.config key, which you can enable to prevent the system from creating such orders. If you enable the key and have an MVC site or Portal Engine site with custom checkout components, you need to ensure that your custom code handles the resulting 'InvalidOperationException' and displays appropriate information to customers.
  • General - Processing of requests to virtual paths defined by the Microsoft ASP.NET Web Optimization Framework, such as JavaScript or CSS bundles, resulted in an error (null reference exception). The errors occurred only for requests handled by the Kentico web project (not in MVC applications using the Kentico API).
  • Search - A move operation on a subset of pages under an Azure search index redundantly updated all pages in the corresponding index. This could result in very long indexing operations on sites with a large number of indexed pages.
  • Staging - If multiple staging tasks were synchronized in a single batch, and the synchronization failed for one or more of the tasks, the entire batch remained in the task list (including tasks that were already successfully processed).


Hotfix 12.0.8

Published: Fri, 01 Feb 2019 12:29:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - When selecting or uploading an image file in certain types of media selection dialogs (for example in a page field using the 'Media selection' form control), resizing of the image with a locked aspect ratio did not work correctly.
  • Personas - The system did not allow users to manually recalculate a persona after a new rule was added for the persona in the 'Personas' application.
  • Search - The 'DataItemCount', 'IsFirst()' and 'IsLast()' transformation property and methods did not work correctly for data returned by the smart search (for example in transformations used by the 'Smart search results' web part). After applying the hotfix, the property and methods return the correct values for the currently displayed page of results.
  • Staging - Synchronizing pages with an associated product (SKU) could break the relationship between the page and the product on the target server (in cases where the IDs of the given SKU were different between the staging instances).
  • Staging - When a page with an associated SKU was synchronized with the 'Publish from' field set to a future date, fields of the SKU were not staged correctly (except the name and description fields).


Hotfix 12.0.7

Published: Fri, 25 Jan 2019 14:30:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The 'DefaultValue' property of the 'EditingComponent' attribute did not initialize form components (e.g., in forms or widget properties dialogs) with the specified default value. After applying the hotfix, the 'DefaultValue' property correctly sets a form component's default value when necessary.
  • User interface - The 'Order by' property of the 'Selector' UI web part did not work, and also could not be set through the properties of UI elements that used the 'Listing with general selector' page template. After applying the hotfix, custom UI elements based on this template can now have their selector order by value configured through a new property.


Hotfix 12.0.6

Published: Fri, 18 Jan 2019 12:14:01 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data protection - When erasing personal data from the system in the 'Data protection' application on the 'Right to be forgotten' tab, data subject identifiers (e.g. an email address) that contained certain special characters, such as '+', were not processed correctly, which could result in data not being removed.
  • MVC - If the page builder was initialized in a controller of a page located in an MVC Area, an error was displayed instead of the content on the live site and when previewing the page.
  • Page types - The 'Default value' of page type fields was always loaded in the editing form, even for existing pages that had a different value specified. Saving such forms could cause users to make unintended changes in the page data. The problem was introduced by applying hotfix 12.0.5. However, applying hotfix 12.0.6 reverts an older bug fix, and prevents the default value from being applied for the following system page fields: DocumentInheritsStylesheet, DocumentShowInSiteMap, DocumentMenuItemHideInNavigation, DocumentIsArchived, DocumentUrlPath, DocumentWildcardRule and DocumentPriority.
  • Page types - If an existing page type inherited fields from another page type, and a new field or category was added to the parent, the position of the new field in the inherited type could be incorrect (the order was not adjusted according to the inherited type's own additional fields). After applying the hotfix, such new fields are always added directly below the inherited field that precedes the new field in the parent page type.
  • Workflow - When multiple content editors attempted to save pages under a workflow in the Pages application, a deadlock could occur in certain cases.


Hotfix 11.0.47

Published: Fri, 11 Jan 2019 12:58:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.
  • E-commerce - Applying hotfix 11.0.39 or newer introduced a change in the e-commerce API, which could cause undetected broken functionality for sites with a customized tax calculation process. After applying hotfix 11.0.47, such cases now clearly result in a runtime and compilation error. Any custom code that prepares 'TaxCalculationResult' objects can no longer use the setter of the 'TotalTax' property, and must instead set the new 'ItemsTax' and 'ShippingTax' properties.


Hotfix 12.0.5

Published: Fri, 11 Jan 2019 11:53:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - The 'Process domain prefix' setting was not taken into account when tagging links in marketing emails with UTM parameters. If the domain prefix in an email link's URL was different from the prefix in the main domain set for the site, the given link was not tagged with the specified UTM parameters.
  • Import toolkit - The Import Toolkit utility did not reflect application keys in the web.config file of the related Kentico project. For example, this caused incorrect behavior when importing data with continuous integration enabled and a custom repository path configured in the target project's web.config. Additionally, serialization of continuous integration data was incorrectly performed when running a simulated import of data in the utility. To fix the issues, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).
  • MVC - If an MVC site was configured to convert URLs to lower case (by setting the 'RouteCollection.LowercaseUrls' property to true in the code of the related MVC project), errors occurred in certain parts of the page builder and form builder interface, for example the widget property configuration dialog.
  • Page types - If a macro expression was added into the 'Default value' of a page type field with the 'Required' flag enabled, certain types of macros, for example {% EditedObject %}, were not evaluated correctly and returned a null value when creating new pages of the given type.
  • Scheduler - The external Windows service for running scheduled tasks did not release allocated memory correctly in certain cases, which resulted in high memory consumption.
  • Search - Created Azure search indexing tasks were processed synchronously, which could result in an unresponsive user interface (e.g., when manipulating indexed pages in the content tree). After applying the hotfix, created Azure search tasks are processed asynchronously in one-minute intervals (if not customized otherwise).
  • Web parts - The 'Users data source' web part did not order data correctly if the 'ORDER BY condition' property contained multiple columns with different order directions (ASC or DESC keywords). The last order keyword was incorrectly used for all columns.


Hotfix 12.0.4

Published: Fri, 04 Jan 2019 11:43:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Licensing - A license limitation error was logged for license editions lower than EMS when working with MVC widgets in the page builder. After applying the hotfix, such errors only occur if there are personalization condition types registered in the system (which require an EMS license).
  • Search - Updating or assigning page categories caused indexing tasks for Azure indexes of the 'Pages' type to fail if the index was newly created and not yet rebuilt, or if the subset of the content tree to be indexed, as specified on an index's 'Indexed content' tab, did not yet contain any pages.


Hotfix 12.0.3

Published: Fri, 21 Dec 2018 15:20:16 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system disregarded all multi-factor authentication validity interval customizations (via overriding the 'ClockDriftTolerance' property).
  • Chat - The 'Chat support request' web part did not render correctly in certain cases (e.g., on 404 error pages).
  • Email marketing - When sending newsletters, the "License for feature 'NewsletterABTesting' not found" error was logged in the event log and the newsletters were not sent on sites with lower than EMS licenses.
  • Search - When indexing page attachments, errors caused by invalid Unicode surrogate pairs in PDF files terminated the indexing operation. Since such invalid surrogate pairs can occur in otherwise valid PDF files, the pairs are now stripped during the indexing process.
  • Staging - When an advanced workflow containing an asynchronous step (e.g., the 'Wait' or 'Send email' step) was applied to a page in a staging environment, changes to the page past the asynchronous step were not logged into the selected staging task group.