Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.44

Published: Fri, 18 Oct 2019 10:51:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - The system processed page URLs inefficiently when listing items in page selector dialogs (e.g., when copying, moving or linking pages), which could lead to performance issues. For example, such issues could occur on MVC sites if the pages listed in the dialog had URL patterns containing resource-intensive macros.
  • General - If an MVC website was disabled by adding an 'App_Offline.htm' file to the project root, every request unnecessarily triggered initialization of the Kentico application (leading to redundant 'APPSTART' events in the system event log).
  • Page builder - Users with limited permissions were not able to create MVC pages with page builder support (i.e. page types with the 'Use Page tab' option enabled) in certain scenarios. An "Access is denied" error occurred if the user had sufficient permissions only for the content tree sub-section where the page was being created, but not for all parent pages.
  • Users - The newsletter subscriptions listed in the 'Users' application on the 'Subscriptions' tab of a selected user were not correctly updated after the user unsubscribed from a newsletter.


Hotfix 12.0.43

Published: Fri, 11 Oct 2019 12:26:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If the value of an MVC widget property contained URLs in virtual relative format, and the property was edited and displayed using an inline editor, the URLs were not resolved correctly within the page builder interface (on the 'Page' tab of the Pages application). URLs within content on the live site were not affected and remained functional.
  • Search - The 'Optimize local search indexes' scheduled task did not work.
  • URL rewriting & SEO - Scenarios where a custom event handler was used to set the 'RequestContext.IsSSL' property did not work correctly (for example when handling HTTPS requests in environments with a reverse proxy server and TLS/SSL acceleration). The problem occurred only after applying hotfix 12.0.35 or newer.


Hotfix 12.0.42

Published: Fri, 04 Oct 2019 08:18:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - On instances with hotfix 12.0.12 or newer applied, customers with a filled in 'Tax registration ID' value were incorrectly exempt from tax for products with a tax class that had the 'Zero tax if tax ID is supplied' property disabled. Note that applying this hotfix corrects the default tax exemption, but also reverses the changes from 12.0.12 - custom tax exemptions added using an 'ICustomerTaxClassService' implementation apply only for products under a tax class with the 'Zero tax if tax ID is supplied' property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.
  • Macros - Re-signing macros in 'System -> Macros -> Signatures' resulted in an error on instances installed as 'web site' projects and on precompiled deployments. The error occurred only after applying hotfix 12.0.37 or newer.
  • User interface - Errors or "access denied" messages could occur in certain parts of the administration interface due to incorrect hash validation. For example, when attempting to edit a transformation or query from the web part properties dialog. The problem occurred only after applying hotfix 12.0.40 or newer.
  • Widgets - If the default 'Form' widget was "nested" within a custom MVC widget (displayed using the 'RenderAction' HtmlHelper method), a 404 error occurred when submitting the resulting form. The problem occurred only after applying hotfix 12.0.30 or newer.


Hotfix 12.0.41

Published: Fri, 27 Sep 2019 11:11:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - Certain mouse button actions that occurred within modal dialogs in the page builder interface could incorrectly affect the interface outside of the dialog. Specifically, the 'mouseup' and 'mousedown' mouse button events were propagated to the dialog's parent elements.
  • Users - The 'Users' application incorrectly allowed only users with the 'Global administrator' privilege level to clone users (as well as perform 'Other actions', such as exporting users). After applying the hotfix, the actions are available for all users with sufficient permissions or at least the 'Administrator' privilege level.
  • Web parts - The 'Collapsible panel' layout web part and widget did not display the image specified through the 'Collapsed image' and 'Expanded image' properties.
  • WYSIWYG editor - Editing a link to a content-only page from a different site using the WYSIWYG editor's 'Insert link' dialog incorrectly opened the 'Web' tab and displayed an external web link. After applying the hotfix, such links are correctly edited on the 'Content' tab.


Hotfix 12.0.40

Published: Fri, 20 Sep 2019 10:17:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Hotfix - Applying the hotfix database scripts resulted in an error if the target database used a different schema than 'dbo' (the default schema for Kentico databases). The error occurs for hotfixes 12.0.29 (Kentico 12 Service Pack) up to 12.0.39, and is resolved in newer versions.
  • Media library - When a file in a media library was renamed on instances running in a web farm environment, the system did not log synchronization tasks, so the file rename did not occur on other servers. The problem impacted media libraries on MVC sites, which utilize a web farm to synchronize changes to the file system of the MVC live site application.
  • MVC - Links to URLs containing a '#' fragment component (e.g. anchor links) were not handled correctly in preview mode and the page builder interface. Upon clicking, such links lead to invalid URLs, resulting in the 404 error.


Hotfix 12.0.39

Published: Fri, 13 Sep 2019 10:10:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - On Portal Engine sites using claims-based (WIF) authentication, URL query string parameters were lost when a user accessed a secured page, was redirected to sign in via the external identity provider, and then returned after successful authentication. After applying the hotfix, handlers of the 'SecurityEvents.AuthenticationRequested' global event include the full query string within the event arguments that provide the redirection URL.
  • Form builder - Globally enforcing authorization over the entire MVC front-end (using the 'Authorize' attribute) resulted in errors when accessing the 'Form builder' tab of the 'Forms' application in the administration interface.
  • Form components - After uploading a file into an MVC form field using the 'File uploader' form component, attempts to delete the file before submitting the form failed and resulted in an error.
  • URL rewriting & SEO - If an external redirect was configured for the Kentico application (e.g., via IIS or the 'hosts' file) and the 'Force domain culture' setting was enabled, but the destination domain was not configured for the target site on the 'Domain aliases' tab in the 'Sites' application, attempting to access the site resulted in an uncaptured .NET error message being displayed to the visitor instead of the system error page.


Hotfix 12.0.38

Published: Fri, 06 Sep 2019 10:35:39 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - When using the 'Kentico.Libraries.Tests' NuGet package to create automated tests, an error occurred when running tests if the 'NUnit' dependency package was manually updated to version 3.10 or newer. After applying the hotfix and updating the 'Kentico.Libraries.Tests' package to 12.0.38 or newer, tests are compatible with newer versions of the 'NUnit' package.
  • Form controls - The 'Form field selector' form control did not work correctly. The control always saved the first field of the chosen form, regardless of the actual field selection in the second drop-down list.
  • Licensing - For instances with the Kentico 12 Service Pack applied (hotfix 12.0.29 or newer), a licensing error occurred on pages created using the MVC page builder if the site's license edition was lower than EMS.
  • Macros - Macro expressions where multiple chained methods modified the data of an object collection did not work correctly in certain cases. For example, if a collection was first modified by the 'Filter' method and then the 'OrderBy' method was added, the original filtering was not applied to the resulting data.
  • On-line forms - If a form on an MVC site contained a field using the 'File uploader' form component, an error occurred on the form's 'Code' tab in the 'Forms' application. It was not possible to generate item and provider code for the given form.
  • Users - If the 'Use site prefix for user names' setting was enabled, the system did not send notification emails to users whose account was locked due to password expiration or reaching the limit of invalid sign-in attempts. As a result, users could not access the password change or account unlock link in the email.


Hotfix 12.0.37

Published: Fri, 30 Aug 2019 10:29:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Unrestricted file upload in MVC forms - For files uploaded through forms on MVC sites using the 'File uploader' form component, it was possible to change the recorded original file name on subsequent requests after the initial upload was successful. This allowed upload of any file types to the system. Only users with the 'Read data' permission for the 'Forms' module were able to access these files.
  • Licensing - Re-signing macros in 'System -> Macros -> Signatures' could lead to licensing errors in the event log and invalid macros (for macro expressions related to features for which the instance's current license edition was insufficient).
  • On-line forms - Form fields using the 'File uploader' form component on MVC sites worked incorrectly with form notification emails. Such fields did not display the name of the uploaded file in the email content and the submitted files were not included as email attachments.
  • On-line forms - Forms created using the MVC form builder did not display validation error messages correctly in certain scenarios. If a form was submitted and validation error messages were displayed, these messages disappeared when the form was refreshed (for example after further input triggered re-evaluation of a field's visibility condition).
  • Staging - On instances with multiple target staging servers, synchronization tasks were incorrectly deleted in certain scenarios. When synchronizing tasks to all servers (with the '(all)' option selected in the server selector), tasks were fully deleted for all servers even if the synchronization was only successful for one of the servers.


Hotfix 12.0.36

Published: Fri, 23 Aug 2019 08:22:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - It was not possible to select or drag and drop media files from the file system after opening the media files selector modal dialog. The problem occurred when the 'allowedExtensions' property was not specified in the 'options' parameter object of the 'modalDialog.mediaFilesSelector.open(options)' function.
  • Modules - The 'Parent object type' property of the 'Roles' application's 'Edit role' UI element was incorrectly set to 'A/B test (om.abtest).' This could have caused errors when adding child UI elements to the 'Edit role' element. Applying the hotfix sets the 'Parent object type' property to '(automatic).' Note that this will also overwrite any customizations made to the 'Edit role' element in your project.
  • Web parts - Layout web parts located in a hidden web part zone were completely invisible in the editing interface. The editing handle of such web parts was hidden, and it was not possible to edit them.


Hotfix 12.0.35

Published: Fri, 16 Aug 2019 08:46:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - In certain cases, when utilizing the web part-based checkout process on Portal Engine sites, a previously selected shipping option incorrectly persisted over multiple orders, even though the orders did not contain any shippable items. Furthermore, when using custom shipping carrier providers, removing all shippable items from an order after a shipping option has been selected resulted in an error in certain cases.
  • E-commerce - The 'Customer detail' web part did not validate the uniqueness of entered email addresses for signed-in users. If the entered email address was already registered in the system (e.g., by another user), this could have resulted in two users with identical addresses (due to the way the system merged the submitted information with the internal user object).
  • General - When the Kentico application was running behind a proxy server or some other service that masks the application's original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the 'CMSUrlHost' web.config key (added by the hotfix) to the 'host' component of the proxy server's URL to ensure the application correctly generates request URLs. Please note that this configuration currently applies only for Portal Engine projects. See the hotfix instructions for more information.
  • MVC - Installing or updating the 'Kentico.AspNet.Mvc' NuGet package added an empty 'CMSConnectionString' <add> element to the 'connectionStrings' section in the web.config file, if it was not already present. This could cause errors in certain scenarios, for example when using an external connection string file specified via the 'configSource' attribute. The same problem could occur also for the 'appSettings' section with specified 'configSource', where the NuGet installation was adding the 'CMSHashStringSalt' app setting. Versions 12.0.35 and newer of the package no longer add the empty 'CMSConnectionString' and 'CMSHashStringSalt' elements when the 'configSource' attribute is present in their parent section.
  • In case of external config sources, developers need to manually specify the 'CMSConnectionString' connection string and the 'CMSHashStringSalt' app setting in the external config files.
  • Web farms - In special cases, the system accumulated redundant records by repeatedly failing to delete the records from the 'CMS_WebFarmTask' database table.


Hotfix 12.0.34

Published: Fri, 09 Aug 2019 11:14:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - When using the 'Image selection' and 'Media selection' form controls for the fields of pages under workflow, validation of the fields was executed incorrectly in certain cases. For example, if the field was set as required after an existing page was already published, the validation prevented users from subsequently creating a new version of the page.
  • Users - Kentico's ASP.NET Identity integration for MVC projects was tightly coupled with the default 'Kentico.Membership.User' class. Any changes to the 'User' class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the 'KenticoUserManager', 'KenticoUserStore', and 'KenticoSignInManager' types, which allow developers to seamlessly integrate custom user types derived from the default 'Kentico.Membership.User' class. See the hotfix instructions for more details.


Hotfix 12.0.33

Published: Fri, 02 Aug 2019 11:58:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - The 'New...' context menu in the Pages application incorrectly offered the option to create new pages as A/B test variants on MVC (content-only) sites. This option was not relevant, as the A/B testing feature on MVC sites does not use separate pages for variants.
  • General - It was not possible to precompile and publish (e.g., via the Visual Studio 'Publish' wizard) the Kentico project hotfixed to version 12.0.29 or higher due to incorrect file references. Applying the hotfix ensures no incorrect references exist in the project's .csproj file, allowing the publishing process to proceed without problems.
  • Hotfix - After applying hotfix 12.0.29 or newer to the Kentico setup files, new web projects created using the hotfixed installer did not run or compile correctly (due to missing updates of the NuGet package 'packages.zip' archive). To fix the problem, you need to apply hotfix 12.0.33 or newer to the setup files.


Hotfix 12.0.32

Published: Fri, 26 Jul 2019 11:46:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Moderate) - User widget properties disclosing system object information - An authenticated user was able to view certain system objects through the live site widget properties dialog.
  • Campaigns - When a visitor arrived at a campaign's landing page via a link containing UTM parameters and accepted cookies via the 'Cookie law and tracking consent' web part, the visitor's cookie level and UTM parameters were not evaluated correctly. As a result, a page visit activity was not logged for the campaign's landing page.
  • Form engine - Forms that contained fields with conditions whose evaluation required a server postback (e.g., fields with 'Has depending fields' enabled) lost focus on the currently selected field after the form was reloaded. After applying the hotfix, field selection persists through postbacks.
  • Portal Engine - When a registered user tried adding or configuring widgets on the Portal Engine live site, changes made inside the 'User personalization' widget zones were not saved. You could experience this issue if you installed the hotfix version 12.0.30 or 12.0.31.
  • Search - The 'SearchParameters.PrepareForPages' method created a 'SearchParameters' object that forced a specific level of supported smart search syntax for search queries. This interfered with the smart search functionality, for example not allowing exact field searching to be performed (i.e., the syntax 'field:"searchquery"' was incorrectly processed). The hotfix introduces overloads for the 'SearchParameters.PrepareForPages' method that allow users to configure the levels of supported syntax per search request when creating the 'SearchParameters' object. See the hotfix instructions for details.


Hotfix 12.0.31

Published: Fri, 19 Jul 2019 11:50:29 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - It was incorrectly possible to add and delete page variants of running MVC A/B tests. Deleting page variants mid testing could lead to loss of data and result in skewed test results.


Hotfix 12.0.30

Published: Fri, 12 Jul 2019 10:41:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - When running an MVC site and the Kentico administration application on different domains, an error could occur when creating new pages of a content-only page type with the 'Show Page tab' setting enabled. The error was encountered if the 'UseResourceSharingWithAdministration()' feature was not enabled for the MVC application, and only after applying hotfix 12.0.29 (Service Pack). With hotfix 12.0.30 or newer, the cross-origin resource sharing feature is automatically enabled for all MVC projects.
  • Page builder - Pages created using the MVC page builder (i.e. containing sections and widgets) displayed an error on the live site if the MVC application's route collection did not contain a general default route with a controller and action parameter. The problem occurred after applying hotfix 12.0.29 (Service Pack).
  • Portal Engine - When adding or configuring editor widgets in the Pages application on Portal Engine sites, changes made in the widget properties dialog were not saved in scenarios where the user opened the live site in another browser tab.
  • REST - An error occurred when using the REST service to set the value of a column with the GUID data type if the request data was in the JSON format.
  • Workflow - An error occurred when trying to restore pages under certain types of advanced workflow from the recycle bin (if the workflow utilized wait steps or step timeouts). If the issue persists for pages created before the hotfix was applied, you need to manually delete scheduled tasks related to the given workflows in the 'Scheduled tasks' application on the 'System tasks' tab before restoring the pages.


Hotfix 12.0.29

Published: Wed, 26 Jun 2019 13:32:26 GMT

Hotfix 12.0.29 is the Kentico 12 Service Pack, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Service Pack release notes.
 
Be sure to check the Hotfix instructions for information about correctly applying the service pack.


Hotfix 12.0.28

Published: Fri, 21 Jun 2019 11:23:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - If checking of page permissions was enabled for attachment files ('System -> Files -> Check files permission' setting), the result of the permission evaluation was cached incorrectly. This could cause users to incorrectly be allowed (or unable) to access attachments based on the cached result.
  • Media library - The system incorrectly retrieved and displayed the file size value as 0B for very large media library files (for example in the 'Media libraries' application and media selection dialogs).


Hotfix 12.0.27

Published: Fri, 14 Jun 2019 13:03:10 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - If an email widget used in a marketing email was deleted, the email was then modified and saved, and the widget was later restored, it was not possible to send out the marketing email (the system did not detect the restoration of the widget and update the email to a sendable state).
  • On-line marketing - On sites built using the MVC development model, 'Page visit' and 'Landing page' activities were incorrectly logged when viewing pages in the 'Pages' application of the administration interface. After applying the hotfix, page related activities are only logged on the live site.


Hotfix 12.0.26

Published: Fri, 07 Jun 2019 19:03:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Import/Export - When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new 'Rebuild site search indexes' setting in the 'Objects selection' step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.
  • MVC - Properties of page and form builder components annotated with the 'EditingComponent' attribute were incorrectly validated against the database column size constraints specified in the constructor of the corresponding editing component's properties class. After applying the hotfix, the database column size constraint validation is performed only when submitting values via a form composed using the 'Form builder.'
  • MVC - The 'Insert link' dialog, available in the editor for rich text fields on the 'Content' tab of content-only pages, incorrectly created page links with absolute URLs, including the site's scheme, domain and application path (i.e. the site's 'Presentation URL'). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs ('~/<link path>'). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). See the hotfix instructions for more information.
  • Page builder - If content added through the page builder (for example using a custom text editor widget) included URLs in virtual relative format, the URLs became broken after resaving the content on the 'Page' tab in the 'Pages' application. Relative URLs ('~/<resource path>') are resolved into virtual context URLs ('/cmsctx/.../<resource path>') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, virtual context URLs are reversed back into relative URLs before being saved. The fix does not address any existing broken links - these need to be fixed and resaved manually.


Hotfix 12.0.25

Published: Fri, 31 May 2019 13:36:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - The 'Insert macro' dialog within the plain text editing interface for marketing emails did not offer context specific objects (for example 'Recipient' or 'Email'). The problem occurred only after applying hotfix 12.0.17 or newer.
  • Email marketing - When a marketing email in an email feed of the 'Email campaign' type contained the 'IsInPersona' macro and was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group. The previously released 12.0.23 hotfix fixed the same issue, but only for email feeds of the 'Newsletter' type.
  • Page builder - If the default 'Checkbox' component was assigned to a property of a personalization condition type (using the 'EditingComponent' attribute), the checkbox did not work correctly in the resulting configuration dialog when the condition type was selected while personalizing a page builder widget.
  • Reporting - If a user subscribed to an entire report that had parameters and a filter, the resulting report status emails did not contain any data.


Hotfix 12.0.24

Published: Fri, 24 May 2019 10:13:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - If a form field used the 'HTML5 input' form control, the 'Enabled condition' advanced field setting did not work. Such fields were always enabled even if the specified condition was not fulfilled.
  • Page builder - If a script or other resource was linked in the markup of an MVC page using a protocol-relative URL, the link URL was incorrectly modified and became broken when the page was viewed in preview mode or the page builder interface within the Pages application.
  • Web parts - Custom filters created for the 'Filter' web part were not loaded correctly on precompiled sites.


Hotfix 12.0.23

Published: Fri, 17 May 2019 13:51:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Controls - The '~/CMSModules/Content/FormControls/Documents/SelectPath.ascx' control's selection dialog did not work if the control was placed into the markup of a web form or user control and its 'EnableSiteSelection' property was set as an attribute.
  • E-commerce - Payments using the default Authorize.Net provider could fail due to an exceeded maximum length of requests generated by the system (in cases where the payment data contained long parameters, such as the names of shipping options, etc.). Additionally, the system did not resolve localization expressions in the parameters of the sent payment data.
  • Email marketing - When a marketing email containing the 'IsInPersona' macro was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group.
  • Staging - Staging service authentication using X.509 certificates did not work on instances hosted as an Azure App Service (the system worked with a different certificate store location than the one used by certificates imported into Azure).


Hotfix 12.0.22

Published: Fri, 10 May 2019 15:06:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system did not send password reset emails in cases where the user's email address matched the address of another user account that was disabled.
  • E-commerce - If a customer set both the shipping and billing address during checkout on a Portal Engine site (via a page containing the 'Customer detail' and 'Customer address' web parts), and then later returned to the given checkout step to update one of the addresses, the changes were not saved.
  • Media library - When the 'URL selector' form control was configured to display the Media tab and a media library 'Starting path' was also specified, it was not possible to select media files from subfolders if the given library was mapped to Azure storage.


Hotfix 12.0.21

Published: Fri, 03 May 2019 10:22:37 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - Double opt-in, subscription, and unsubscription confirmation emails were sent with 'low' priority, which could cause long delays for subscribers on instances that sent out a large number of other emails. After applying the hotfix, the priority of such confirmation emails is set to 'normal'.
  • Form controls - When the 'Allow switch sides' setting was cleared and a 'Relationship name' was specified in the advanced editing control settings of a page type field that used the 'Related pages' form control, the resulting field did not allow adding of related pages from sites other than the current site.
  • Integration bus - When utilizing a web farm setup together with the integration bus, a single integration task could be processed by multiple web farm servers (usually when the environment experienced heavy load). For example, this could result in duplicates of the processed object being created in the connected external system.


Hotfix 11.0.49

Published: Fri, 26 Apr 2019 10:27:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.


Hotfix 12.0.20

Published: Fri, 26 Apr 2019 09:01:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Portal Engine - When a page with a workflow applied contained an 'Editable text' web part, the latest version of the web part's content was not displayed in 'Preview' mode when viewing child pages which inherited the original page's content (via page nesting and the 'Page placeholder' web part).
  • Social media - When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.
  • Translation services - The hotfix updates the Microsoft Translator Text API from Version 2 (V2) to Version 3 (V3), because V2 will be discontinued on April 30, 2019. In addition, the 'Speak' method of the 'MicrosoftTranslatorService' class, which could be used in custom code for text-to-speech functionality, is no longer supported after applying the hotfix.


Hotfix 12.0.19

Published: Thu, 18 Apr 2019 09:43:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.


Hotfix 12.0.18

Published: Fri, 12 Apr 2019 08:54:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • On-line forms - When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.


Hotfix 10.0.52

Published: Wed, 10 Apr 2019 09:03:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.17

Published: Fri, 05 Apr 2019 12:23:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.
  • Form builder - The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.
  • Form controls - The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.
  • Macros - If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.