Path to this page:
./
www/php-concrete-cms,
Concrete CMS, Open sourece Content Management System
Branch: CURRENT,
Version: 9.3.3,
Package name: php82-concrete-cms-9.3.3,
Maintainer: pkgsrc-usersConcrete CMS
Concrete CMS is a web content management system designed for creating and
managing websites. Its interface is user-friendly, catering to both novices
and experts.
Concrete is written in PHP and JavaScript and it pulls data from a MySQL
database.
In Concrete CMS, your website is structured as a hierarchy of pages
organized within a sitemap. Each page adheres to a specific Page Type and
utilizes one of its associated Templates. These Templates are PHP files
that combine standard HTML/CSS with dynamic Block Areas. Within Block
Areas, you can insert Blocks, which range from basic HTML Text to advanced
interactive features like forms. Block Areas can be further refined using
Layouts or Containers. While Layouts simply split a block area into
columns, Containers are code-defined and can encompass additional markup and
styling.
* Files
* Users, Groups & Authentication
* Permissions & Workflow
* Attributes
* Packages
Master sites:
Filesize: 74678.852 KB
Version history: (Expand)
- (2024-08-20) Updated to version: php82-concrete-cms-9.3.3
- (2024-06-05) Updated to version: php82-concrete-cms-9.3.2
- (2024-05-12) Updated to version: php82-concrete-cms-9.2.9
- (2024-04-07) Updated to version: php82-concrete-cms-9.2.8
- (2024-03-10) Updated to version: php82-concrete-cms-9.2.7
- (2024-02-26) Package added to pkgsrc.se, version php82-concrete-cms-9.2.6 (created)
CVS history: (Expand)
2024-04-07 15:59:05 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
www/php-concrete-cms: update to 9.2.8
9.2.8 (2024-04-02)
Bug Fixes
* Fixed bug where c5:info console command would fail when run on a Concrete
webroot if that webroot was not yet an installed Concrete site.
* Fixed bug where logout link in toolbar would not work when user was logged
in as an editor who could not view the Dashboard (thanks ounziw)
Security Updates
* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
fixed it with commit 11988 Prior to the fix, a rogue administrator could
put malicious javascript on the Concrete CMS color setting screen which
would have would have been triggered by and affected users who accessed
the color settings screen. The Concrete CMS security team gave this
vulnerability a CVSS v3.1 score of 2.0 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Thank you Rikuto Tauchi for reporting HackerOne 2433383.
* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
Filter and fixed it with commit 11988 for version 9 and commit 11989 for
version 8. Prior to the fix, a rogue administrator could add malicious
code in the file manager because of insufficient validation of
administrator provided data. All administrators have access to the File
Manager and hence could create a search filter with the malicious code
attached. The Concrete CMS security team gave this vulnerability a CVSS
v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Thank you Guram (javakhishvili) for reporting HackerOne 949443
* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
fixed it with commit 11988 for version 9 and commit 11989 for version 8.
Prior to the fix, a rogue administrator could insert malicious code in the
custom class field due to insufficient validation of administrator
provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
non alphanumeric characters in this CSS class. The Concrete CMS security
team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
reporting HackerOne 918129.
* Created and fixed [CVE-2024-3180]
(https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
could be executed by a rogue administrator adding malicious code to the
link-text field when creating a block of type file. Fixed with commit
11988 for version 9 and commit 11989 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
for reporting HackerOne 903356
* Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix,
stored XSS could be executed by an administrator changing a filter to
which a rogue administrator had previously added malicious code. The
Concrete Team fixed this with commit 11988 for version 9 and commit 11989
for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
|
2024-03-10 15:40:26 by Takahiro Kambe | Files touched by this commit (2) | |
Log message:
www/php-concrete-cms: update to 9.2.7
* pkgsrc change: use PHP_BASE_VERS for dependency to PHP.
9.2.7 (2024-03-05)
Behavioral Improvements
* Improved display of certain UI elements when Concrete was used with
non-Bedrock/Bootstrap themes.
* Back to Website button in Dashboard now uses the vanity URL instead of the
cID URL (Thanks JohnTheFish)
* Add db charset and collation to environment report (thanks JohnTheFish)
Bug Fixes
* Fixed: Time selector in the calendar event dialog not showing all times.
* Fixed: Undefined array key "value"' in
/concrete/attributes/date_time/controller.php under PHP 8.
* Fixed: Undefined array key 0' in
/concrete/blocks/calendar_event/controller.php:224 under PHP 8.
* Fix pagination not working in clipboard side panel (thanks
quentinnorbert0)
* Fix double encoding when displaying page template name (thanks
quentinnorbert0)
* Fixed inability to clear date/time attributes using the built-in HTML
datepicker clear link.
* Fixed bug when attempting to do an advanced search by time in the Logs
(thanks Quentin-Gach)
* Fixed error where including an ampersand in your site name would cause it
to be displayed as & in your site browser title.
* Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in
/concrete/blocks/survey/controller.php:206 under PHP 8.
* Fixed: Undefined variable $fID' in
/concrete/single_pages/download_file.php:23 under certain conditions in
PHP 8.
* Fixed error when attempting to log values that were non-scalar (thanks
JohnTheFish)
Security Updates
* Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with
commit 11965. A rogue administrator could inject malicious code into the
Name field of a Group type which might be executed when users visit the
affected page because of insufficient validation of administrator provided
data. The Concrete CMS Security team scored this 2.2 with CVSS v3 vector
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. Concrete versions below 9 do not
include group types so they are not affected by this vulnerability.
Thanks Luca Fuda for reporting HackerOne 2383192.
|
2024-02-26 16:06:28 by Takahiro Kambe | Files touched by this commit (6) |
Log message:
www/php-concrete-cms: add package version 9.2.6
Concrete CMS is successor of www/php-concrete5.
Concrete CMS
Concrete CMS is a web content management system designed for creating and
managing websites. Its interface is user-friendly, catering to both novices
and experts.
Concrete is written in PHP and JavaScript and it pulls data from a MySQL
database.
In Concrete CMS, your website is structured as a hierarchy of pages
organized within a sitemap. Each page adheres to a specific Page Type and
utilizes one of its associated Templates. These Templates are PHP files
that combine standard HTML/CSS with dynamic Block Areas. Within Block
Areas, you can insert Blocks, which range from basic HTML Text to advanced
interactive features like forms. Block Areas can be further refined using
Layouts or Containers. While Layouts simply split a block area into
columns, Containers are code-defined and can encompass additional markup and
styling.
* Files
* Users, Groups & Authentication
* Permissions & Workflow
* Attributes
* Packages
|