Hotfixes

Kentico fixes reported bugs within 7 business days by releasing a hotfix. Learn more about our 7-day bug-fix policy. You can use the Kentico Xperience Installation Manager utility to apply hotfixes. We regularly release hotfixes every Thursday, with possible exceptions in the case of serious bugs, no bugs reported and around holidays.

The hotfixes are cumulative, meaning that every hotfix contains all previous hotfixes for the same version. We recommend that you apply the latest hotfix available for your Kentico Xperience version.

Hotfixes for 13.x

Download latest hotfix

13.0.168
Fixed Bugs   Security Bugs
  • Bug DescriptionFixed in version
  • Kentico Xperience 13 Refresh 13

    Hotfix 13.0.167 is the Kentico Xperience 13 Refresh 13 release, which represents a larger update than a standard hotfix. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.167
  • Email marketing - Changes in email A/B test variants not included in the winning email

    After selecting a variant as the winner for an A/B tested email, changes made during the test configuration to the variant's 'Preheader' property or 'Plain text' value weren't included in the email sent to the remaining recipients outside of the test group.

    13.0.166
  • Hotfix - Category-related errors when hotfixing projects with version 13.0.141 or older

    When updating a project from version 13.0.141 or older directly to 13.0.161 or newer, an error occurred during the hotfix procedure if the project's data contained one or more categories (defined in the Categories application). Such projects weren't updated correctly, and various category-related errors could occur.

    13.0.165
  • Media library - Wrong dialog tab preselected in media selectors in certain cases

    If a media selector (for example a page field using the 'Media selection' form control) stored an image from a media library that was set to use direct paths and was placed in external storage, such as Microsoft Azure storage, the selector's dialog incorrectly displayed the 'Attachments' tab when opened instead of the 'Media libraries' tab.

    13.0.164
  • WYSIWYG editor - Incorrect Insert image dialog positioning

    When the rich text editor component was assigned to a page builder widget property, the 'Insert image' dialog in the editor could open outside of the visible area on the screen if the field’s content spanned more than the viewport height.

    13.0.163
  • Contact management - Form submissions can no longer modify the current contact’s email

    When users submit data via a form submission, this data can be mapped to the fields of the associated contact. After applying this hotfix, such actions can no longer be used to change the email address of the current contact. If the contact already has an email address stored in Xperience that doesn't match the new email value, all related field updates are performed for a different contact. Either an existing contact that matches the submitted email value is used, or a new contact is created. In these cases, the user’s associated contact remains unchanged, but any subsequent actions, such as 'Form submission' activity logging and marketing automation processes are performed for the “other” contact that matches the submitted email address.

    13.0.162
  • Installation - Inconsistent database when using 'Additional database installation'

    Databases installed from Setup files hotfixed to version 13.0.155 or newer (via the advanced mode in the hotfix utility) were inconsistent with databases installed and hotfixed to their corresponding version from default Setup files provided by the installer. Most importantly, databases installed via this method were missing certain columns, which could lead to runtime errors in the application. Older versions of the Setup files are not affected. Applying the hotfix SQL script repairs the inconsistencies for databases created from version 13.0.155 Setup files. To fix the installation of new databases, the hotfix must be applied to the Setup files (advanced mode in the hotfix utility). Additionally, applying this hotfix rebuilds the 'View_CMS_Tree_Joined' view - any custom indexes on this view will be lost.

    13.0.161
  • Authentication - Some browser extensions caused authentication problems

    Some browser extensions could interrupt the authentication process between the administration and live site application, which prevented users from viewing certain parts of the administration, such as the preview mode of pages and the page builder or form builder interface.

    13.0.161
  • Categories - Updating category display name affected other categories across sites

    When multiple categories (site or global) had the same name across multiple sites, updating the display name of one category incorrectly affected the 'CategoryNamePath' database values of the children of the other categories.

    13.0.158
  • General - Application startup issues when using automated tests

    In extremely rare cases, using the automated testing support provided by the system could prevent the application from starting.

    13.0.157
  • General - Unable to deploy CMSApp after applying hotfix 13.0.153

    Hotfix 13.0.153 introduced an invalid 'Content Include' reference into the 'CMSApp.csproj' file, which prevented project deployment. Applying the hotfix removes the invalid reference from 'CMSApp.csproj'.

    13.0.156
  • Page builder - Incorrectly trimmed widget names

    When more than 12 widgets were available in the Page builder widget selection dialog, widgets without a defined 'IconClass' had their names incorrectly trimmed.

    13.0.155
  • Installation - Database installation error

    An error occurred when installing the database for a project created from setup files that were updated to hotfix 13.0.80 or newer. This hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility). If you wish to fix the issue for a previously installed project, apply the hotfix to your setup files, and then copy the 'SQL.zip' file from 'Kentico\13.0\Webinstaller\Web\CMS\App_Data\Install' in your setup files and overwrite the same file in the project's 'CMS\App_Data\Install' folder.

    13.0.155
  • Media library - Thumbnail links linked to videos instead of the thumbnail image

    Links to thumbnails of videos in media libraries incorrectly linked to the video files instead of the thumbnail images.

    13.0.154
  • Import/Export - Import/Export API updates

    The hotfix replaces the usage of certain APIs used during Import/Export with more secure alternatives. This change does not impact the functionality of Import/Export in any way.

    13.0.154
  • Pages - Not possible to open page preview in a new tab

    After applying the 13.0.147 hotfix, it was not possible to open the page preview in a new browser tab.

    13.0.152
  • On-line forms - Not possible to download files uploaded via forms

    After applying the 13.0.147 hotfix, files uploaded through a form couldn't be downloaded on the Recorded data tab in the Forms application.

    13.0.152
  • E-commerce - 'DefaultDeliveryBuilder.SetFromCalculationRequest' ignores the 'itemSelector' parameter

    The 'SetFromCalculationRequest' method from the 'CMS.Ecommerce.DefaultDeliveryBuilder' implementation of the 'IDeliveryBuilder' interface did not reflect the 'itemSelector' parameter in its implementation.

    13.0.152
  • Media library - Error uploading assets to media libraries on Azure

    Attempting to upload a file with a name that already exists in the media library resulted in an error if the original file had a thumbnail attached. This issue occurred only in media libraries mapped to Azure storage.

    13.0.151
  • Users - Cloning users does not clone role assignments

    Cloning users with the 'Clone child objects' option enabled didn't clone the user's role assignments.

    13.0.150
  • Microsoft Azure - Incorrect date formatting for files mapped to Azure storage

    Media library files mapped to Azure blob storage could show incorrect file timestamps (creation and last modified dates) under certain circumstances.

    13.0.149
  • WYSIWYG editor - CKEditor update to v4.24.0

    The hotfix updates the WYSIWYG editor used by the administration interface to version 4.24.0.

    13.0.148
  • API - New API for thread context management in asynchronous code

    The 'CMS.Base.ContextUtils' class was introduced into the public API. The class’s 'PropagateCurrent' and 'ResetCurrent' methods allow developers to propagate or clear the system’s ambient context, such as the database connection, when executing asynchronous or parallel code, for example using 'Task.Run'. See the hotfix instructions in the documentation for more information.

    13.0.148
  • Cookies - Blocking of third-party cookies

    When running the Xperience administration and live site applications on different domains, 'SameSite=None' cookies must be configured to enable 'preview mode' and its related features like the page builder. The hotfix ensures the system cookies used for the preview mode have the 'Partitioned' attribute set. This way, the preview mode will remain functional in browsers that block third-party cookies. For example, the Google Chrome browser plans to block third-party cookies in Q3 2024.

    13.0.147
  • Security - NuGet dependencies update

    The hotfix updates the 'Microsoft.Rest.ClientRuntime' dependency to version 2.3.24 and 'Jquery.Validation' dependency to version 1.19.5.

    13.0.146
  • Page builder - Custom HTML around widget zones removed

    Custom HTML elements surrounding Page builder widget zones in the administration were incorrectly removed in certain cases. The issue was present only after applying hotfix 13.0.43 or later.

    13.0.145
  • Security - NuGet dependencies update

    The hotfix updates the 'Nuget.Packaging' dependency to version 5.11.6.

    13.0.144
  • REST - HTTP 401 when retrieving data via REST

    Retrieving data via REST with hash parameter authentication and having the 'Allow sensitive fields for administrators' setting enabled always returned HTTP 401 (Unauthorized) and logged a null reference exception to the event log.

    13.0.144
  • Form components - Missing default 'Options value separator'

    The semicolon character was not set as the default value of the 'Options value separator' setting in the Form builder for the 'Radio buttons', 'Drop-down list' and 'Multiple choice' selector form components.

    13.0.144
  • WYSIWYG editor - Styles removed from rich text content in certain cases

    The HTML sanitizer in the Rich text editor component for page and form builder removed all entered CSS '@media' rules. Additionally, if a '<style>' tag was added as an allowed HTML tag and content of the editor for rich text fields was rendered in the page or form builder, the '<style>' tag was removed from the resulting HTML content.

    13.0.143
  • Security - Page and Form builder dependencies vulnerability

    Fixed a vulnerability in the Page and Form builder dependencies.

    13.0.143
  • Page builder - Deprecated mutation events replacement

    Usage of deprecated DOM mutation events triggered warnings in the browser console in certain parts of the Page builder UI. The events were replaced by the 'MutationObserver'. This change does not impact the existing public API.

    13.0.143
  • Kentico Xperience 13 Refresh 12

    Hotfix 13.0.142 is the Kentico Xperience 13 Refresh 12 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.142
  • Form components - Persistence of selected options containing semicolons

    An option selected in the 'Multiple choice' selector form component was not persisted in the system if the option's value contained a semicolon.

    13.0.141
  • Form components - Semicolons in options text

    Selector form components (e.g., 'Radio buttons', 'Drop-down list' or 'Multiple choice') didn't display their options correctly if the option text contained a semicolon. If you want to use semicolons in the options text, configure a different separator using the new 'Options value separator' setting in the Form builder (or using the new 'DataSourceValueSeparator' property when adding editing components in code).

    13.0.140
  • Files - Image file request protection

    <p>The hotfix introduces a feature to improve the protection of image file request endpoints. See the hotfix instructions in the documentation for more information.</p>

    13.0.140
  • Form builder - Additional wrapping div elements after a form reload with disabled JQuery

    A form set to reload after submission was repeatedly wrapped by an additional 'div' element after each refresh (form submission or a failed field validation). This occurred only when the use of JQuery was disabled for the form and page builder by setting the 'CMSBuilderScriptsIncludeJQuery' key to 'false'.

    13.0.139
  • WYSIWYG editor - CKEditor security notification

    The hotfix temporarily hides the security notification displayed by the WYSIWYG editor used by the administration interface.

    13.0.138
  • URL rewriting & SEO - Former URLs with query strings caused an error

    Accessing a former URL of a page with a query string parameter caused a loop of redirects and resulted in an error.

    13.0.138
  • Page builder - Unavailable scroll bar in Page selector

    The scroll bar was not available in the Page selector editing component used in a widget when the page selected as root had a large number of subpages.

    13.0.138
  • Security - NuGet dependencies update

    The hotfix updates the following NuGet dependencies: 'Microsoft.IdentityModel.JsonWebTokens' to version 6.35.0, 'System.IdentityModel.Tokens.Jwt' to version 6.35.0, 'System.Data.SqlClient' library to version 4.8.6, 'Nuget.Packaging' library to version 5.11.5, and 'Microsoft.AspNet.Identity.Owin' library to version 2.2.4.

    13.0.137
  • Page templates - Not possible to pass certain data to page template view

    When implementing page templates with a custom model, it was not possible to manually pass data to the template view using ViewBag or ViewData.

    13.0.137
  • Page builder - Widgets with very long names displayed incorrectly

    Widgets with very long names were displayed incorrectly in the page builder widget selection dialog after applying hotfix 13.0.131 (Kentico Xperience 13 Refresh 11).

    13.0.136
  • Page builder - Incorrect serving of 'systemFormComponents.min.js' in page builder

    The system did not serve the minified 'systemFormComponents.min.js' file correctly in the page builder scripts for the Form widget.

    13.0.135
  • Salesforce - Added support for authorization flows that require PKCE

    The Salesforce integration was extended to support OAuth 2.0 authorization flows that require the Proof Key for Code Exchange (PKCE) Extension. This option can now be enabled in the configuration of the connected Salesforce App.

    13.0.134
  • WYSIWYG editor - CKEditor update to v4.22.1

    The hotfix updates the WYSIWYG editor used by the administration interface to version 4.22.1 as a prevention against vulnerabilities present in older versions.

    13.0.133
  • WYSIWYG editor - Froala editor update

    The hotfix updates the Froala editor to version 4.1.4. For example, the editor is used in the 'Rich text' page builder widget.

    13.0.133
  • Page builder - Incorrect recently used widgets displayed after searching

    The 'Recently used widgets' section of the page builder widget selection dialog could display incorrect results after using the dialog's search feature.

    13.0.133
  • Page builder - Section dialog displayed incorrectly with a large number of sections

    The section selection dialog in the Page and Form builder interface was displayed incorrectly if the total number of available sections was more than 12.

    13.0.133
  • WYSIWYG editor - Resizing images in the rich text field editor did not work correctly

    Resizing images inserted into the editor for rich text fields did not work correctly. Additionally, resizing options for images from the web were incorrectly hidden after applying Refresh 10 (hotfix version 13.0.115 and later).

    13.0.132
  • Page builder - Widget dialog displayed incorrectly with a large number of widgets

    The widget selection dialog in the Page builder interface was displayed incorrectly if the total number of available widgets was more than 12.

    13.0.132
  • Kentico Xperience 13 Refresh 11

    Hotfix 13.0.131 is the Kentico Xperience 13 Refresh 11 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.131
  • Security - Updated 'HtmlSanitizer' version

    The hotfix updates the 'HtmlSanitizer' dependency of the 'Kentico.Xperience.AspNetCore.WebApp' and 'Kentico.Xperience.AspNet.Mvc5' packages from version 5.0376 to 8.0.723.

    13.0.130
  • Marketing automation - 'Move to specific step' action not showing all steps

    When managing contacts within a marketing automation process that had a large number of steps (15 and more), the 'Move to specific step' action did not display all available steps correctly.

    13.0.130
  • Import toolkit - Error when importing pages

    The error "Could not load file or assembly 'Microsoft.Extensions.FileProviders.Abstractions, Version=3.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60' or one of its dependencies" could occur when importing pages with certain configurations using the 'Kentico Xperience Import Toolkit'. To fix this issue, you must apply the hotfix to Kentico setup files.

    13.0.129
  • Upgrade - ASP.NET Core 3.1 support removal

    The hotfix removes .NET Core 3.1 support from all Kentico libraries used to develop ASP.NET Core live site projects. When upgrading ASP.NET Core live site projects that target .NET Core 3.1, you must first retarget to .NET 6.0 (the current minimum supported version) and then update the Xperience NuGet packages.

    13.0.128
  • Images - Error when resizing gif images

    If a 'gif' file was retrieved and resized on an ASP.NET Core live site project, the image was not displayed and an error occurred. After applying the hotfix, resizing of gif images is still not supported, but the original file is displayed even when resize parameters are applied.

    13.0.128
  • Contact management - Incorrect contacts displayed in contact groups with an account

    If a contact group had one or more accounts assigned, the 'Contacts' tab in the Contact groups application could display contacts who did not actually belong to the group. The issue only affected the contact group UI, not features working with the contacts in the group (e.g., automation or email marketing).

    13.0.128
  • Translation services - Macro error in the translation package Instruction file

    The Instructions.html file provided with a package submitted for translation did not contain information about the user who submitted the request. This also resulted in event log errors when working with the submission.

    13.0.127
  • On-line forms - Form display name not localized in the 'Form' widget selector

    If a localization expression was added into the 'Form display name' field of a form, the value was not resolved in the form selector displayed by the 'Form' widget in the page builder UI.

    13.0.127
  • URL rewriting & SEO - Alternative page URL performance issues

    On projects that contained a very large number of pages and had the alternative URLs feature enabled, performance issues and timeouts could occur when adding new pages or alternative URLs. Applying the hotfix improves the performance of the alternative URL collision check, which mitigates these issues.

    13.0.126
  • Security - SkiaSharp package version update

    The hotfix updates the SkiaSharp dependency of the 'Kentico.Xperience.ImageProcessing.KX13' library from version '2.88.3' to '2.88.6'.

    13.0.125
  • Time zones - Incorrect daylight savings time shift calculation for certain time zones

    The system incorrectly calculated daylight savings time shifts for time zones in the southern hemisphere (e.g., Canberra, Melbourne, Sydney). The issue impacted, for example, scheduled publishing of content.

    13.0.124
  • URL rewriting & SEO - Former URLs always redirected to the main site domain name

    If a visitor accessed a former URL of a page on a site with one or more domain aliases, the system always used the site's main domain name when redirecting to the current URL. After applying the hotfix, former URL redirects preserve the currently active domain name.

    13.0.123
  • Multilingual content - Visitors were not able to change the culture on the home page

    Visitors who had a preferred language different than the site's default content culture set in their browser were not able to change the culture on the home page under special circumstances (enabled content tree-based routing, language prefix URL format, hidden language prefixes for default culture URLs, visitor's culture set to automatic).

    13.0.122
  • Form controls - Drop-down form control didn't refresh depending fields correctly

    Depending fields of a field with a drop-down form control that had the 'Allow edit value' property enabled were not refreshed when the value in the drop-down changed.

    13.0.122
  • Continuous integration - Object filtering not working for settings object types

    Object filtering for objects of the 'cms.settingskey' and 'cms.settingscategory' types was not being processed correctly, which caused the system to ignore filtering directives targeting these objects in 'repository.config' files.

    13.0.120
  • Form builder - File uploader component form submission issues

    It was not possible to submit a form containing the 'File uploader' component when the component was set as 'Required' and at the same time hidden by a visibility condition that depended on the value of another field.

    13.0.119
  • Contact management - Contact import failed for values with the maximum allowed length

    Import of contacts from a CSV file in the Contact management application failed if an imported value exactly matched the maximum allowed length for the given contact field. For example, the problem occurred when importing a text value 50 characters long into the 'ContactJobTitle' field, which allows 50 characters.

    13.0.119
  • Data engine - Exception when working with Info objects

    In certain rare cases, an error (null reference exception) occurred when deleting Info objects with enabled hash table caching. Such an error could interrupt the flow of threads, etc. For example, the problem could occur in certain cases when the system merged (and deleted) contacts.

    13.0.118
  • Scheduler - Dependency conflict error with the external scheduler

    A dependency conflict error occurred when running scheduled tasks using the external Windows service. The issue occurred only after installing hotfix 13.0.110 or newer.

    13.0.117
  • Page builder - Limited performance of the media files selector

    The media files selector for page builder components had limited performance due to loading all files within a folder every time it was opened. After applying this hotfix, media files are cached and pagination was introduced to improve the performance.

    13.0.116
  • Page builder - White images not visible in selection dialogs

    White images with a transparent background were not visible in the selection dialogs of the media files and attachment selectors for page builder components. After applying the hotfix, images are displayed with a subtle border in the selection dialogs.

    13.0.116
  • Kentico Xperience 13 Refresh 10

    Hotfix 13.0.115 is the Kentico Xperience 13 Refresh 10 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.115
  • Page builder - Error when copying widgets containing invalid HTML

    When attempting to copy any widget in the page builder interface containing invalid or deprecated HTML (e.g., a 'Rich text' widget with HTML inserted using the 'Code View' feature), errors were logged in the JavaScript console and the widget was not copied. After applying the hotfix, the widget is copied, but a preview thumbnail is not available when inserting the widget.

    13.0.114
  • Form builder - Long form field labels displayed incorrectly

    Fields with a very long label text were displayed incorrectly in the Form builder interface. After applying the hotfix, long label texts break to a new line instead of appearing under the field's input component.

    13.0.114
  • Authentication - MembershipContext.AuthenticatedUser incorrectly returning the public user

    Calling `MembershipContext.AuthenticatedUser` within the live site application could have returned the anonymous 'public' user instead of the currently signed-in user. The issue occurred if the 'KenticoEventLog' application logger's 'LogLevel' was set to 'Information' or lower (more verbose) via the application settings (e.g., within appsettings.json).

    13.0.114
  • On-line forms - Values of hidden fields cleared on the 'Recorded data' tab

    After saving a form data record on the 'Recorded data' tab in the Forms applications, stored values were always cleared for hidden form fields (e.g., fields with their 'Visibility' set to 'Never'). This caused lost data in scenarios where hidden form fields were filled in using custom code or other form components.

    13.0.113
  • General - Error when installing NuGet packages into the CMSApp project

    A dependency conflict error occurred when installing any NuGet package into the 'CMSApp' administration project. The issue occurred only after installing hotfix 13.0.110 or newer.

    13.0.113
  • Form components - Not possible to dynamically update values of component properties

    It was not possible to dynamically set and update the values of component properties based on other properties, e.g., clearing a dependent field when the value of a property set as dependency changes. See the hotfix instructions for more information.

    13.0.113
  • URL rewriting & SEO - Alternative URLs not working when using minimal APIs

    The 'Alternative URLs' functionality in the 'Rewrite' mode did not work when using minimal APIs to initialize the application.

    13.0.112
  • Page builder - Deprecated 'onKeyPress' events replacement

    Usages of the deprecated 'onKeyPress' event were replaced with the 'onKeyDown' event in the code of the system's page builder components. This change does not impact the existing public API.

    13.0.112
  • A/B testing - Page A/B test variant selection dialog not opening

    The A/B test variant selection dialog in the Pages application did not work. The issue occurred only on new projects created using the updated installer released for Kentico Xperience 13 Refresh 9 (released March 23, 2023).

    13.0.112
  • Salesforce - Error when retrieving empty values of non-required Salesforce fields

    If a non-required field of a Salesforce object (for example a Salesforce lead) had an empty value, an error occurred when retrieving data from entities of this type. For example, this could occur when synchronizing data from Salesforce leads to Xperience contacts or when retrieving data using the 'SelectEntities' Salesforce integration API.

    13.0.111
  • WYSIWYG editor - HTML sanitizer removed tags from the content of the editor

    The HTML sanitizer in the Rich text editor component for the page and form builder, introduced in hotfix 13.0.89, removed HTML tags from the content even if the tags were allowed in the editor configuration. This hotfix introduces new configuration keys to customize the set of allowed tags and attributes. See the hotfix instructions for more information.

    13.0.110
  • Pages - Links to unpublished objects resolving incorrectly when previewing pages

    When previewing unpublished pages using the 'Show preview' feature on the 'URLs' tab in the Pages application, links to other unpublished objects (e.g., page attachments) did not resolve correctly.

    13.0.110
  • On-line forms - Forms with field dependencies not working in preview mode

    Forms with a validation rule or visibility condition that depended on another field did not work correctly in preview mode or when using a 'Show preview' link. When the form was refreshed due to a field dependency, it disappeared (on sites using the ASP.NET Core development model) or the "Antiforgery token validation failed" error occurred (on ASP.NET Framework MVC 5 sites).

    13.0.110
  • Media library - Media files usage tracking not working for files on external storage

    Media files usage tracking did not correctly track files from media libraries with the 'Use direct path for files in content' setting enabled. The issue only occurred if the media library was mapped to external storage.

    13.0.110
  • Search - Azure search tasks generated even without existing Azure search indexes

    Changes made to content always generated Azure search tasks even if no Azure search indexes existed in the system.

    13.0.109
  • Page builder - Scrolling in the page selector dialog not working correctly

    Scrolling did not work correctly in the Page selector dialog for page builder component properties. The issue occurred after applying hotfix 13.0.105 or newer.

    13.0.109
  • On-line forms - 'Redirect to URL' form setting did not allow URL fragment values

    After applying hotfix 13.0.91 or newer, the 'Redirect to URL' field of the 'After the form is submitted' options on a form's General tab did not allow values starting with the URL fragment character (#). This prevented redirects to a specific anchor on the page containing the form, using e.g., '#success' as the redirect value.

    13.0.108
  • Unix/Linux - Resized images not displayed on the live site

    Resized images (e.g., retrieved from media libraries) were not displayed on the live site for Linux deployments of ASP.NET Core projects. To resolve the issue, developers need to install the 'Kentico.Xperience.ImageProcessing.KX13' NuGet package into the live site project. The package uses the 'SkiaSharp' library to process images. Deployments on Windows servers are not affected by this issue. See the hotfix instructions for details.

    13.0.107
  • Media library - Media files usage for custom tables without an 'ItemID' column

    Media files usage tracking did not work for custom tables that were created using an existing database table with a primary key column named differently than 'ItemID'. Errors occurred when the custom table's items were added or updated.

    13.0.107
  • Salesforce - Salesforce API not working on .NET Core sites

    It was not possible to use the Salesforce integration API in the code of live site applications with the ASP.NET Core development model. A 'NotSupportedException' occurred when creating the 'SalesForceClient' object.

    13.0.106
  • Macros - 'BizForms.Items' macro collection not refreshed after the form data changed

    The 'GlobalObjects.BizForms[form class name].Items' macro cached the form data without using the correct cache dependencies. As a result, the values in the returned collection were not refreshed if the form's data records were updated between resolutions of the macro.

    13.0.106
  • Media library - Error when saving metadata of unsupported image files

    If an unsupported image type (e.g., an SVG file) was uploaded to a media library, an error was displayed when editing and saving the file's metadata (i.e., the file's name, title or description). Additionally, staging of such files did not work. After applying the hotfix, such files are still not supported as images, but editing of file metadata and staging works correctly.

    13.0.105
  • Installation - Incorrectly defined user-defined table type in database installation scripts

    The user-defined table type 'Type_OM_OrderedIntegerTable_DuplicatesAllowed' used by the Xperience database installation scripts was not defined correctly. In rare cases, this could have caused issues when recalculating online marketing activities.

    13.0.105
  • Email marketing - Bounced emails not working with OAuth and an empty Password setting

    Bounced email monitoring didn't work if the POP3 settings had the 'Authentication type' set to 'OAuth 2.0' and the 'Password' setting was empty. After applying the hotfix, the password is no longer validated in this scenario, since it is not used for OAuth authentication.

    13.0.105
  • Kentico Xperience 13 Refresh 9

    Hotfix 13.0.104 is the Kentico Xperience 13 Refresh 9 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.104
  • Page builder - Images added to the Rich text widget using CSS attributes not displayed

    Images added in the 'Code View' mode of the 'Rich text' widget's editor using the 'url()' CSS function were not displayed on the live site or in the page builder.

    13.0.103
  • Pages - Preview in Pending pages did not work for usernames with special characters

    In the 'Pending pages' application, the 'Navigate to page' preview button did not work correctly for users with certain special characters in their username (e.g., an '@' sign). The action resulted in a 403 error.

    13.0.102
  • Object versioning - Error when emptying the recycle bin

    Under certain circumstances, an error could occur when emptying the Objects recycle bin. For example, the issue could occur when emptying a recycle bin that contained items deleted by a user that no longer existed.

    13.0.102
  • Page builder - Issues when accessing page context from custom middleware

    The context of the current page was not preserved correctly if it was accessed via the 'IPageDataContextRetriever' service within a custom middleware component, which could break other functionality that relied on the page context. This could result in invalid page builder requests and prevent certain functionality from working, e.g., switching page templates.

    13.0.101
  • Page builder - Page builder widget memory consumption

    On ASP.NET Core sites, page builder widgets that had output caching disabled consumed unnecessary memory, and the application did not clear this memory correctly.

    13.0.101
  • Hotfix - Hotfix utility adding unnecessary project file includes

    The hotfix utility incorrectly added file references ('Content Include' statements) for sample site assets to the project file of the Xperience administration project (CMSApp.csproj). To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility). After applying this hotfix, the utility no longer adds the unnecessary references. However, if the CMSApp project already contains the references from previous hotfix applications, they will not be deleted. You can remove the extraneous files manually - see the hotfix instructions for a full list.

    13.0.100
  • Hotfix - Hotfix utility not working for command line deployments

    When using setup files with hotfix 13.0.94 (Refresh 8) or newer applied, attempting to run the hotfix utility from the command line with the '/deploy' parameter did not work and resulted in an error. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    13.0.100
  • Search - Content of the Rich text widget not indexed correctly in certain cases

    Search indexes did not index the content of the 'Rich text' page builder widget correctly. The last word of a paragraph and the first word of the next paragraph were not separated and were indexed together as one word (i.e., "lastfirst" instead of "last" and "first").

    13.0.99
  • Page builder - Prevent collisions of CSP directives in system controllers

    After applying hotfix 13.0.81, 'frame-ancestor' CSP directives set in custom code (e.g., via a custom middleware) could collide with the CSP set by the system. After applying this hotfix, the system automatically overrides all custom CSP directives with the required configuration.

    13.0.98
  • Settings - Decimal values processed incorrectly in certain cultures

    Decimal values set for the reCAPTCHA v3 'Score Threshold' or the 'Minimum confidence' setting for Image recognition were interpreted incorrectly in certain cultures, depending on the culture's decimal separator character. For example, the problem could prevent reCAPTCHA validation from working correctly if the score threshold value was set under a different UI culture than the content culture of the page containing the resulting form. After applying the hotfix, stricter requirements are applied to the format of 'double' type setting values - thousand separators are no longer supported.

    13.0.97
  • Search - Redundant search indexing tasks

    After applying hotfix 13.0.85, the system could generate search indexing tasks that were not required by any index. This hotfix optimizes the process of generating search indexing tasks to limit the number of redundant tasks.

    13.0.97
  • General - Source code project file update to SDK-style

    The hotfix updates many project files to the SDK-style format. This change only affects customers with source code projects. See the source code hotfix instructions to learn about the potential impact on your code base.

    13.0.97
  • General - Assembly version conflict warnings

    The WebApp.sln solution displayed warnings related to version conflicts of the System.Text.Json and Azure.Core assemblies.

    13.0.97
  • Settings - Error when searching for reCAPTCHA settings

    An error occurred when searching in the Settings application if one of the search results belonged to the 'reCAPTCHA v2' or 'reCAPTCHA v3' settings category. The issue occurred after applying hotfix 13.0.94 (Refresh 8).

    13.0.96
  • E-mail engine - New API for SMTP client configuration

    The hotfix introduces new 'CMS.EmailEngine.ISmtpClientFactory' API that enables developers to modify the configuration of the system's SMTP client. This API is primarily intended for advanced environments with specific requirements.

    13.0.96
  • Sites - Domain name alias case sensitivity issues

    When a site's Administration domain name was set with at least one uppercase letter and the 'Enforce lowercase URLs' settings was enabled, the domain was not recognized due to case comparison, which prevented certain features in the administration from working. For example, the problem affected the Page and Form builder or the Preview functionality of pages.

    13.0.96
  • Unix/Linux - Linux instances encountered exceptions when accesing files from Amazon S3

    Kentico Xperience instances hosted in Linux environments could encounter exceptions when accessing resources from the Amazon S3. This would occur, for example, when accessing media library files stored in the Amazon S3.

    13.0.95
  • Search - Page HTML output not indexed correctly in certain cases

    Under certain conditions, the system may not have always indexed the latest published changes to page builder content that modified the resulting HTML output of the page. This issue affected indexes of the 'Pages' type whose 'Data source for indexing' was set to either 'HTML output' or 'Both' (where a web crawler was used to index HTML content).

    13.0.95
  • Scheduler - Scheduler in local environments not working correctly in certain cases

    The scheduler feature used only the main domain name and presentation URL of a site when attempting to process scheduled tasks in local environments. This caused the scheduler to not function correctly for applications run using a specific port (e.g., when launched using IIS Express), making it difficult to test custom scheduled task implementations. The hotfix introduces two new configuration keys that facilitate local scheduled task development. See the hotfix instructions for details.

    13.0.95
  • Kentico Xperience 13 Refresh 8

    Hotfix 13.0.94 is the Kentico Xperience 13 Refresh 8 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.94
  • WYSIWYG editor - HTML sanitizer removed 'mailto' links

    The HTML sanitizer in the Rich text editor component for the page and form builder removed 'href' attributes containing 'mailto' links from <a> tags. The issue occurred after applying hotfix 13.0.89 or newer.

    13.0.93
  • Search - Search results highlighting memory optimization

    The hotfix optimizes application memory usage when using the search results highlighting API.

    13.0.93
  • Caching - Incorrect caching of error states for pages on multi-site instances

    On instances containing two or more sites with the same culture, the 404 response returned after accessing a URL slug without an existing page was incorrectly cached, which caused a 404 response on other sites where a page with the same URL slug existed.

    13.0.93
  • WYSIWYG editor - Incorrect "Unsaved changes" prompt in the Pages application

    The 'Content' tab in the 'Pages' application incorrectly prompted users with an "Unsaved changes" dialog when leaving the page even when there were no actual changes to page content. The issue occurred when the page contained macro expressions with string parameters inside rich text content.

    13.0.92
  • WYSIWYG editor - ID and data attributes allowed in HTML sanitization

    Hotfix 13.0.89 introduced HTML sanitization of content in the Rich text editor component for the page and form builder. This sanitization can result in modified or broken HTML code, for example when adding content via the editor's Code View option (see the hotfix instructions for details). After applying this hotfix, the sanitization additionally allows 'ID' and 'data-*' attributes.

    13.0.92
  • User interface - Missing title of the file selection dialog

    The title of the file selection dialog was not displayed correctly due to a missing resource string, for example when selecting the file for a new form control in the Form controls application.

    13.0.91
  • On-line forms - 'Redirect to URL' form setting did not accept macros

    Values containing macro expressions were rejected as invalid when added to the 'Redirect to URL' field of the 'After the form is submitted' options on a form's General tab. The issue was caused by validation introduced after applying hotfix 13.0.75 or newer.

    13.0.91
  • Installation - Connection timeout during database installation to Azure SQL

    Installing the database directly to an Azure SQL server could result in a connection timeout error for database tiers with lower performance.

    13.0.90
  • Authentication - MembershipContext.AuthenticatedUser always returning the public user

    Calling `MembershipContext.AuthenticatedUser` within the live site application always returned the anonymous 'public' user instead of the currently signed-in user. The problem could also affect other parts of the system's functionality that used this API internally. The issue occurred after applying hotfix 13.0.86 or newer.

    13.0.90
  • API - IPageDataContextRetriever.TryRetrieve unhandled exception

    Calling the 'IPageDataContextRetriever.TryRetrieve' method resulted in an unhandled exception if the page data context could not be initialized, instead of returning a false value.

    13.0.90
  • Installation - Reintroduction of .NET Core 3.1 support to Xperience NuGet packages

    Hotfix 13.0.84 incorrectly removed support for .NET Core 3.1 from the Xperience NuGet packages. The change made it impossible to upgrade projects targeting .NET Core 3.1 to the Refresh 7 release. This hotfix returns support for .NET Core 3.1 back into the Xperience NuGet packages.

    13.0.89
  • Multilingual content - 404 response on sites with separate domains per culture

    On multilingual sites with content tree-based routing enabled and the 'URL format for multilingual sites' setting set to 'Domain', the system incorrectly cached the 404 response returned when a visitor accessed a URL slug that was not available for any page in the selected culture. The cached 404 response was then returned when accessing the same URL slug under the domain of a culture where the page existed. The problem persisted until the application's cache was cleared. This issue occurred after applying hotfix 13.0.74 or newer.

    13.0.89
  • Caching - Content updates not reflected for linked pages

    Cache invalidation didn't work correctly for the data of linked pages retrieved and cached using the 'IPageDataContextRetriever' API. As a result, changes made to a page were not reflected for linked pages until the application's cache was cleared.

    13.0.88
  • ASP.NET Core - Live site crash for .NET 6.0 sites using the Thai content culture

    For projects targeting .NET 6.0, using the Thai (th-th) content culture for a site caused the live site to crash with an unhandled 'OutOfRangeException' error.

    13.0.88
  • Page builder - Selectors did not preserve the order of the selected items

    Page, Path, Media and Attachment selectors for page builder components did not preserve any order of the selected items. After applying the hotfix, the items are stored in the order in which they were selected.

    13.0.87
  • Multilingual content - Default content culture set incorrectly after application start

    In certain scenarios, the first request after an application start incorrectly set the site's content culture for subsequent visitors (the culture was incorrectly detected and cached based on the 'Accept-Language' request header). For example, the problem occurred for the site's default culture when using content tree-based routing with language prefixes and the 'Hide language prefix in default culture URLs' setting enabled.

    13.0.86
  • WYSIWYG editor - Rich text editor sticky toolbar not working

    If the Rich text editor for the page builder had a custom toolbar configuration with the 'toolbarInline' option disabled, enabling the 'toolbarSticky' option didn't work. The toolbar didn't remain displayed at the top of the editing area when scrolling down in the content.

    13.0.85
  • Media library - New setting to disable the media files usage search index

    A new 'Settings -> Content -> Media -> Enable media files usage tracking' setting was introduced, which makes it possible to disable the media files usage search index. Disabling the index can improve performance for projects where viewing media file usage is not required.

    13.0.85
  • Media library - Unnecessary Azure requests when retrieving media file URLs

    Getting the URL of a media file using the 'IMediaFileUrlRetriever.Retrieve' API always generated the file's 'DirectPath' URL, even when it was not required or used. When storing media files on Azure storage, this resulted in unnecessary requests to Azure.

    13.0.85
  • Page builder - Selector dialogs broken with the 'CMSMVCResolveRelativeUrls' key

    When the 'CMSMVCResolveRelativeUrls' configuration key was set to 'false' for the live site application, selector dialogs for page builder component properties did not work. For example, if a widget had a property using the Page selector component, attempting to select a page displayed an empty dialog.

    13.0.84
  • Kentico Xperience 13 Refresh 7

    Hotfix 13.0.83 is the Kentico Xperience 13 Refresh 7 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.83
  • Localization - Overriding system resource strings with formatting parameters

    For system resource strings containing formatting parameters (e.g. 'Hello, {0}.'), overriding the string in the Localization application or a custom resource file caused errors if the new value had a different number of formatting parameters. After applying the hotfix, a warning is instead logged to the Event log when the system attempts to use such resources.

    13.0.82
  • Installation - Error when installing new projects

    An error occurred when installing new projects from setup files that were updated to hotfix 13.0.80 or 13.0.81. To fix the issue, this hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    13.0.82
  • WYSIWYG editor - Froala editor update

    The hotfix updates the used Froala editor to version 4.0.14. For example, the editor is used in the 'Rich text' page builder widget.

    13.0.82
  • Page builder - Wrong header name in the cookie policy detection response

    The cookie policy detection mechanism, which shows a notification message in cases where page builder content cannot be displayed due to blocked third-party cookies, had an incorrect 'X-Frames-Options' header set for the response. This combination of the header and its value is now deprecated in modern browsers. After applying the hotfix, the 'content-security-policy' header is used instead to provide the same security measures.

    13.0.81
  • E-mail engine - OAuth support for email servers

    Many email services are deprecating support of basic authentication via a username and password (for example Microsoft Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3). By default, the system includes an OAuth provider for Microsoft Exchange Online - other services require implementation of a custom provider. The hotfix adds the 'MailKit 3.3.0' NuGet package to both the administration and live site projects, which may cause conflicts if your projects contain custom functionality using other versions of this package. See the hotfix instructions for details.

    13.0.80
  • User interface - 'Screen lock' not working after session timeout

    If a user's screen was kept locked past the session expiration configured for the administration application, the 'Unlock' and 'Sign Out' buttons did not work, and a full page refresh was necessary.

    13.0.79
  • Security - Bootstrap JavaScript library updated to v3.4.1

    The Bootstrap JavaScript library used in the administration interface was updated to v3.4.1 due to security vulnerabilities contained in the previous version.

    13.0.79
  • Event log - Canceled task errors in the event log

    Errors were logged into the system's event log when requests were aborted by a client (i.e., when the application canceled a task). This could result in a large number of unnecessary errors in certain environments. The issue occurred after applying hotfix 13.0.68 or newer.

    13.0.78
  • Contact management - Performance of contact mass actions with a separated database

    If the application had a separated database for on-line marketing data, running mass actions for contacts in the 'Contact groups' or 'Scoring' application caused the system to generate large and ineffective queries. This could lead to performance issues on sites with a large number of contacts, for example after starting an automation process for all contacts in a group.

    13.0.78
  • Pages - Incorrect Preview mode handling for pages without a URL

    For pages whose page type did not have the 'URL' feature enabled, the Preview mode in the Pages application displayed empty content and a JavaScript error occurred. After applying the hotfix, a message explaining the situation is displayed instead.

    13.0.77
  • Data engine - Custom 'IDataProvider' not used for all operations

    Custom 'IDataProvider' implementations were not used for all database operations performed by the system. For example, certain activity logging actions did not reflect such customizations. After applying the hotfix, all database operations use the custom data provider, with the exception of actions that occur when separating or rejoining the on-line marketing database.

    13.0.76
  • Marketing automation - Multiple non-recurring processes for the same contact

    Automation processes with 'Process recurrence' set to 'If the same process is not already running' or 'If the process has not run before' could incorrectly start multiple times for the same contact if actions that triggered the process were performed repeatedly within a short time period.

    13.0.75
  • Form components - 'Radio buttons' form component not working for certain numeric values

    Using numeric values that differ only in the first digit (e.g., 100, 200, 300) in the 'Radio buttons' form component's options generated input elements with identical IDs. As a result, users were unable to switch between the options. After applying the hotfix, a unique string is appended to each input's ID. The issue occurred after applying hotfix 13.0.70 or newer.

    13.0.75
  • API - Required columns not ensured for the 'WithPageUrlPaths' DocumentQuery method

    If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include required columns from the 'PageUrlPath' table, which could lead to errors.

    13.0.75
  • Performance - Performance issues for non-page requests

    On sites with content tree-based routing enabled, the system encountered performance issues when executing multiple requests to non-page routes (e.g., 'getattachment' or 'getmedia' file requests). This was noticeable, for example, when displaying thumbnails in the media file selector. The performance issues were caused by excessive database queries and cache entries.

    13.0.74
  • Kentico Xperience 13 Refresh 6

    Hotfix 13.0.73 is the Kentico Xperience 13 Refresh 6 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.73
  • Scheduler - 'Use external service' not displayed for custom scheduled tasks

    The editing interface for custom scheduled tasks never displayed the 'Use external service' property.

    13.0.72
  • Caching - Unnecessary 'cacheurltopagemapper' cache keys for A/B tested pages

    Views of pages with a running A/B test generated an unnecessary number of 'cacheurltopagemapper' keys in the application cache when the page URL contained differences in the query string. After applying the hotfix, the cache key contains only the page URL without the query string.

    13.0.72
  • Performance - Performance issues in the media file selector

    On sites with content tree-based routing enabled, the system encountered performance issues when executing multiple requests to non-page routes (e.g., media library files or custom API endpoints). This was noticeable, for example, when displaying thumbnails in the media file selector. The performance issues were caused by excessive database queries and cache entries created for each non-page request. Note: This fix causes page builder errors in certain cases, for newly created pages or after changing a page's URL. We recommend applying a newer hotfix or refresh.

    13.0.72
  • Media library - Media files usage performance issues

    The media files usage tracking feature used up a significant portion of the available memory on sites with large amounts of data that could contain media files (pages, custom tables, or other system objects). The issue occurred when rebuilding and updating the 'Media files usage' local search index used by the feature. The hotfix improves the processing performance and reduces the memory usage of the index.

    13.0.71
  • Data protection - Consent agreement status cached incorrectly

    When consent agreements are added via the 'IConsentAgreementService' API, the system caches the agreement objects. If an agreement was then revoked using the 'IConsentAgreementInfoProvider' API, the agreement status was not flushed from the cache correctly. The hotfix ensures correct cache invalidation for 'IConsentAgreementInfoProvider' actions, however in most scenarios we recommend adding and revoking consent agreements via 'IConsentAgreementService'.

    13.0.71
  • Form builder - Incorrectly generated 'Radio buttons' ID attributes

    Using spaces in the values of the 'Radio buttons' form component generated elements with IDs containing spaces, which violates the HTML5 specification. After applying the hotfix, spaces are replaced by underscores in element IDs.

    13.0.70
  • Contact management - OM_ContactGroupMember identity column gaps in special cases

    In special cases, recalculations used to update dynamic contact groups caused gaps in the identity column (primary key) of the 'OM_ContactGroupMember' database table. On sites with very heavy traffic, this could lead to overflow errors and contacts were not added to contact groups correctly. The problem occurred in cases where a contact group condition contained a custom macro rule with a registered macro rule translator returning a query with an OR operator.

    13.0.69
  • Performance - Heavy memory allocation when serving non-HTML content

    The system incorrectly streamed data into the application memory when serving non-HTML content. This could lead to heavy memory allocation when returning large files or other types of data in action results. For example, the problem occurred for the default file handlers, such as '/getresource' and '/getmedia' or for custom endpoints that returned file content. The hotfix optimizes this type of memory usage for ASP.NET Core projects. Additionally, the hotfix introduces the 'DisableUrlResolutionAttribute', which developers can use to disable memory allocation for custom controller actions that return non-HTML content (e.g., PhysicalFileResult).

    13.0.68
  • WYSIWYG editor - Check Spelling feature removed

    The 'Check Spelling' feature in the 'Full' toolbar of the administration's rich text editor no longer works and causes the editor to freeze, which can lead to lost content changes. The hotfix removes the option from the editor, as the third-party plugin responsible for the feature is deprecated and has reached end-of-life. The SCAYT (Spell Check As You Type) feature remains without changes.

    13.0.67
  • Media library - Media file URLs with the direct path displayed incorrectly

    When viewing files in the Media library application, URLs containing the direct file path were encoded incorrectly and the displayed URL was invalid. For example, the problem affected files in media libraries using Azure Storage. The issue occurred after applying hotfix 13.0.64 (Refresh 5).

    13.0.66
  • Integration bus - Integration bus stuck after unexpected administration restart

    If the administration application was unexpectedly restarted while processing an integration task, the task was indefinitely evaluated as running, which prevented further integration tasks from being processed.

    13.0.66
  • UI personalization - Marketing automation 'Contacts' view mode not enabled

    If the UI personalization feature was enabled, the 'Contacts' view mode on the 'Process' tab of a process in the Marketing automation application was not accessible for users without the 'Administrator' privilege level (even if the user's roles had sufficient permissions and the corresponding element allowed in the UI personalization settings).

    13.0.65
  • Media library - Thumbnails could not be uploaded for media files on Azure storage

    Thumbnail images could not be uploaded for media library files when using Microsoft Azure Blob storage. The issue occurred after applying hotfix 13.0.10 or newer.

    13.0.65
  • Marketing automation - Processes with time-based triggers could get stuck

    Marketing automation processes with 'Time-based' triggers could get stuck when the trigger started the process for a large number of contacts. A stuck process remained in an action step (such as 'Send marketing email) and did not continue for the given contact.

    13.0.65
  • Caching - IPageRetriever didn't automatically configure default cache dependencies

    Default cache dependencies were not configured automatically when loading pages using the 'IPageRetriever' service in cases where the developer enabled caching without explicitly setting the 'Dependencies' of the 'IPageCacheBuilder' expression. After applying the hotfix, the service automatically adds the default dependencies for the cached data (default dependencies include the retrieved pages and their page types).

    13.0.65
  • Attachments - 'Check attachments permissions' changes not reflected on the live site

    Changes made to the 'System -> Files -> Check attachments permissions' setting were not reflected on the live site until the application's cache was cleared.

    13.0.65
  • Kentico Xperience 13 Refresh 5

    Hotfix 13.0.64 is the Kentico Xperience 13 Refresh 5 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.64
  • REST - Hash parameter authentication failed for HTTPS requests

    Authentication hash parameters generated for REST service URLs with the HTTPS schema were invalid. The resulting requests failed to authenticate and returned the 401 Unauthorized status code.

    13.0.63
  • Import toolkit - Incorrect import of new culture versions for existing pages

    When using the Import toolkit utility to add a new culture version to an existing page, the import incorrectly replaced one of the page's existing culture versions instead of creating a new version. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    13.0.63
  • Email marketing - Inconsistencies between email open statistics and activities

    If a marketing email recipient viewed an email in a client that blocked images used for open tracking, and then clicked on a tracked link in the email content, the system logged the open statistic for the email, but didn't log the 'Opened marketing email' activity for the given contact. This could lead to marketing data inconsistencies between the email statistics and the activity log. After applying the hotfix, email open activities are logged when the action is recognized through a link click (depending on the site's consent requirements and the cookies stored in the browser where the recipient opens the link).

    13.0.63
  • Dialogs - Media selection dialogs not working correctly in special cases

    Selecting a file in a media selection dialog that was limited to a specific media library made it impossible to select files in other media dialogs that were limited to a different library. For example, the problem could occur when editing pages with two fields based on the 'URL selector' form control, each with a different media library selected in the form control's 'Available site libraries' setting.

    13.0.63
  • Content editing - Notifications about unsaved changes displayed twice

    For pages with fields based on the 'Rich text editor' form control, notifications about unsaved changes were incorrectly displayed twice on the 'Content' tab in the Pages application.

    13.0.63
  • Caching - Moving pages didn't clear the original parent from the cache

    Moving a page to another location in the content tree did not clear the page's original parent from the cache.

    13.0.63
  • E-commerce - Products with long names displayed incorrectly in the Orders application

    Products (SKUs) with very long names were displayed incorrectly when creating or editing orders in the 'Orders' application.

    13.0.62
  • Caching - 'Cache content (minutes)' setting handled incorrectly by the IPageRetriever API

    When using the 'IPageRetreiver' API to load and cache page content, the caching did not work in cases where the expiration period was not directly specified in the code, and the system's default 'Cache content (minutes)' setting had a value of 60 or more minutes.

    13.0.62
  • Licensing - Incorrect web farm behavior in localhost environments

    In certain cases, the system licensing incorrectly evaluated web farm availability for localhost environments, causing synchronization issues. The problem could occur in setups containing only domain-specific licenses.

    13.0.61
  • Authentication - Virtual context errors with external authentication on the live site

    On ASP.NET Core sites with external authentication (e.g., Azure AD) enabled for the entire live site, authentication didn't work correctly for virtual context URLs in the administration. As a result, related parts of the administration, such as the Preview mode of pages and the page or form builder interface, did not work unless users were already authenticated on the live site.

    13.0.61
  • Web farms - Deleting web farm servers in 'Automatic' mode

    When using the 'Automatic' web farm mode, deleting a 'Healthy' or 'Transitioning' web farm server via the 'Web Farms' application caused synchronization issues within the environment. After applying the hotfix, it is no longer possible to delete 'Healthy' and 'Transitioning' web farm servers if using the 'Automatic' mode. Only servers with the 'Not responding' status can be deleted.

    13.0.60
  • Scheduler - Misleading exception when launching the Scheduler Windows service

    In rare cases, an exception that occurred when launching the Scheduler Windows service masked a different exception, resulting in a misleading error message logged in the Windows Event Viewer. To fix the problem for new installations in the future, also apply hotfix 13.0.60 or newer to your Xperience setup files.

    13.0.60
  • Images - Image alternative text not generated with disabled on-line marketing

    Automatic generating of alternative text for images using the Microsoft Azure Computer Vision image recognition did not work for images inserted into the content of a 'Rich text' widget in the page builder interface. The problem only occurred when the 'Enable on-line marketing' setting was disabled.

    13.0.60
  • On-line forms - Incorrect localization of form properties

    Localization of a form's 'After the form is submitted' values ('Display text' or 'Redirect to URL') using resource strings on the 'General' tab of the form's editing interface did not work correctly. When the form was displayed on the live site using the 'Form' widget, the English version of the text was always displayed instead of using the current page's culture.

    13.0.59
  • API - 'NodeSIteID' column not ensured for the 'WithPageUrlPaths' DocumentQuery method

    If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include the 'NodeSiteID' column, which is required for certain scenarios. For example, this could lead to errors when retrieving the absolute URL of the loaded pages.

    13.0.59
  • WYSIWYG editor - Cursor jumping to different rich text editors in certain cases

    If the Rich text editor for the page builder had a custom toolbar configuration with the 'toolbarInline' and 'toolbarVisibleWithoutSelection' options enabled, the cursor jumped unexpectedly to other occurrences of the editor when working with multiple editors on the same page. For example, the problem could occur on pages containing multiple 'Rich text' widgets. The hotfix updates the used Froala editor to version 4.0.8.

    13.0.58
  • WYSIWYG editor - Dynamic text not working in the Rich text editor in certain cases

    The 'Dynamic text' dialog in the Rich text editor component for the page builder didn't work in certain cases. The problem occurred on pages containing multiple editors (e.g., several 'Rich text' widgets in the page builder), if the 'Enable on-line marketing' setting was disabled.

    13.0.58
  • Debug - Missing items in the live site cache debug

    The cache debug did not correctly process certain types of cache items related to objects available only on the side of the live site application. As a result, these cache items were missing on the 'Live site' tab of the cache debug in the administration.

    13.0.58
  • ASP.NET Core - Unit tests not working in .NET 6.0 projects

    Automated unit tests created using the 'Kentico.Xperience.Libraries.Tests' NuGet package did not work in projects targeting the latest .NET 6.0 release. Running tests inheriting from the 'CMS.Tests.UnitTests' base class resulted in an error.

    13.0.58
  • API - Required columns not ensured for the 'WithPageUrlPaths' DocumentQuery method

    If the 'WithPageUrlPaths' parametrization method was used for DocumentQuery API calls together with a restricted list of retrieved data columns (e.g., using the 'Columns' method), the system did not automatically include required page columns, which could lead to errors.

    13.0.57
  • WYSIWYG editor - Audio and video files in rich text page fields not displayed correctly

    Video or audio multimedia files inserted into rich text page fields were not displayed correctly on the website. The problem affected pages fields based on the 'Rich text editor' form control when media was added via the 'Insert image or media' or 'Quickly insert media' button. The generated markup contained the deprecated '<object>' element, which is no longer supported by current browsers.

    13.0.56
  • Pages - Generate preview link button not working

    The 'Generate preview link' button on the Properties > URLs tab in the Pages application did not work correctly and could not be used to invalidate the previous preview link for the page.

    13.0.55
  • Page builder - Template property changes not reflected for pages under workflow

    After editing the properties of a page template for pages under workflow with check-in/check-out enabled, the changes were not displayed immediately on the Page tab in the Pages application after the page was saved. The problem was caused by incorrect clearing of cached template property values, and the page was displayed correctly on the live site or after a full reload in the administration.

    13.0.55
  • Media library - Validation of long media library folder names freezes the interface

    The validation process for media library folder names was too complex and could cause the administration interface to freeze. The problem occurred when creating a folder in a media library if the folder name was long and contained invalid characters.

    13.0.55
  • E-commerce - 'Buy X Get Y' discount performance

    The hotfix improves the performance of 'Buy X Get Y' discounts with buy conditions based on product sections. The evaluation of such discounts was slow for shopping carts containing a large number of products.

    13.0.55
  • URL rewriting & SEO - Alternative URL issues after updating an ancestor page's URL slug

    Alternative URLs of a page didn't work correctly after the URL slug was changed for one of the page's ancestors in the content tree. The original cached alternative URLs were not invalidated correctly, so the problem persisted until the application's cache was cleared.

    13.0.54
  • Form components - Default value error for form components with a non-nullable data type

    The default value of form components was initialized incorrectly. This caused an error for form components that had a non-nullable data type (e.g., value types such as 'int' or 'bool') in cases where a default value was not assigned.

    13.0.54
  • E-commerce - Product properties couldn't be cleared for non-default culture versions

    If a product had multiple culture versions, certain properties, such as the 'Product name', 'Description' and 'Short description' couldn't be cleared to an empty value for the non-default culture. The product incorrectly used the value from the default culture version instead of the empty value.

    13.0.53
  • Kentico Xperience 13 Refresh 4

    Hotfix 13.0.52 is the Kentico Xperience 13 Refresh 4 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.52
  • Unix/Linux - Issues saving Page builder widgets when deployed in Linux environments

    It was not possible to edit widget properties via the configuration dialog (cogwheel icon). Attempting to save any changes resulted in an HTTP 403 (Forbidden) error. This issue only occurred when the live site was deployed in Linux environments.

    13.0.51
  • Licensing - Error when accessing the 'License keys' application

    Under rare circumstances, accessing the 'License keys' application resulted in an error, making it impossible to manage product licenses.

    13.0.51
  • Form components - reCAPTCHA form component not working with TLS 1.3

    The system's reCAPTCHA form component did not support communication via the TLS 1.3 protocol. If the live site application was configured to use TLS 1.3, forms containing the reCAPTCHA component could not be submitted and the component itself returned a 'The reCAPTCHA server is unavailable' validation error.

    13.0.51
  • Search - Not possible to configure Azure Search service hosting domain

    It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.

    13.0.50
  • Content personalization - DI not supported for personalization condition types

    Dependency injection was not supported when developing personalization condition type classes for page builder widgets. After applying the hotfix, the constructor of condition type classes inheriting from the 'ConditionType' base class can have parameters (e.g., instances of services registered in the project's DI container). The hotfix does not add dependency injection support in controller classes that implement custom configuration dialogs for personalization conditions (inheriting from 'ConditionTypeController').

    13.0.50
  • Staging - Confusing event log entries when staging roles

    After a role with assigned users was updated and synchronized through staging, the event log on the target server contained confusing 'Remove user from role' entries. The problem only affected the event log and the users were not actually removed from the role.

    13.0.49
  • Page builder - Attributes removed from script tags in builder components

    Script tags placed in the markup of page and form builder components (for example widgets) were rendered without attributes in most cases when the component was displayed in the builder interface or the live version of the page. For example, this could break scripts using the ' type="module" ' attribute.

    13.0.49
  • Page builder - Unnecessary warning about changed widget zone names on new pages

    If a widget zone's name (identifier) was added or changed in the code of a page builder section, new pages with the section displayed an unnecessary warning, even though the page didn't contain any widgets that could be affected by the change. The problem occurred if the updated section was the default option for an editable region on the page or its template.

    13.0.49
  • E-commerce - Redundant SKUs after copying product pages with multiple culture versions

    Copying a product page with multiple culture versions incorrectly created a redundant copy of the related SKU object for every culture version. After applying the hotfix, only one SKU is created for the product page copy and shared by all culture versions.

    13.0.48
  • API - Dependency injection of services with a Scoped lifetime in Core projects

    In ASP.NET Core projects, an error occurred when using dependency injection to get instances of services with a Scoped lifetime within the constructors of certain Xperience API classes. For example, the problem affected General selector data providers ('IGeneralSelectorDataProvider' implementations), Object selector Where condition providers, form components, page template or form component filters, and 'ICacheVaryBy' implementations.

    13.0.48
  • Files - Permanent links not working for certain media and attachment files on Core sites

    If a media library file or page attachment contained non-ASCII characters in its name, accessing the file through a permanent link ('~/getmedia' or '~/getattachment' URL) resulted in an error. The problem occurred only on sites using the ASP.NET Core development model.

    13.0.47
  • URL rewriting & SEO - Duplicated query string after alternative URL rewrite on Core sites

    When a page on an ASP.NET Core site was accessed under an alternative URL with the 'Alternative URLs mode' configured to 'Rewrite', any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '%3futm_source=xxx?utm_source=xxx') and a redirection loop occurred.

    13.0.46
  • Pages - 'Show in menu' flag not saved for pages

    Changes of the 'Show in menu' flag on the 'Properties > Navigation' tab of pages weren't saved. The issue occurred only after applying hotfix 13.0.39 or newer.

    13.0.46
  • Page builder - Border overflow of image thumbnails in the media selector

    Image thumbnails in the 'Media files selector' for page builder component properties could overflow the borders of the selector field due to incorrect CSS z-index values.

    13.0.46
  • Page builder - Editors could select items over the set limit in page builder selectors

    Under special circumstances, it was possible to select more items than allowed by the set limit in certain selectors for page builder component properties. The problem could occur if a user performed the selection while additional items were also being loaded for pagination in the selector.

    13.0.46
  • User interface - Default values of module class fields not resolved correctly

    If a macro was placed into the default value of a field with the 'Date & Time' data type in a module class (or its Alternative form), the value was not resolved correctly in the resulting administration interface form for users with a non-English UI culture.

    13.0.45
  • Search - Failed JWT token validation for the search crawler when behind a proxy server

    On sites running behind a proxy server or another service that masks the application's original domain (e.g., Azure Application Gateway), the smart search crawler used for page types with a 'HTML output' search data source did not work correctly. JWT token validation failed, which resulted in logged errors and only content available for public users was indexed. The hotfix fixes the issue for ASP.NET Framework (MVC 5) sites. For ASP.NET Core sites, Forwarded Headers Middleware needs to be set up for the project. See the hotfix instructions for details.

    13.0.45
  • Page builder - "Missing page" warning not displayed by Page and Path selectors

    After a page chosen in the 'Page' or 'Path' selector components was deleted from the site, the selector automatically removed it without displaying any information. After applying the hotfix, the selectors display a "Missing page" warning in this scenario. The issue affected instances with hotfix 13.0.43 (Refresh 3), which allows selection of multiple pages for these selectors.

    13.0.45
  • Page builder - Improved tooltip of the 'Select all' button in page selector dialogs

    The 'Page selector' dialog for page builder component properties had a potentially misleading tooltip for the button that selected all pages on the current level. The hotfix updates the tooltip to provide more accurate information.

    13.0.45
  • Media library - Direct path not working for media library files on Core sites

    Accessing media library files using the direct file path did not work correctly in certain scenarios on sites using the ASP.NET Core development model. The issue occurred only after applying hotfix 13.0.44.

    13.0.45
  • Sentiment analysis - Error in the Dancing Goat sentiment analysis demo automation process

    When working with the marketing automation process generated by the sentiment analysis demo on the Dancing Goat sample site, an error occurred if the 'Analyze sentiment' custom step was manually added to the process. The error prevented further work in Design mode for the process.

    13.0.44
  • E-commerce - 'Remove from inventory' value not saved when creating new bundle products

    When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.

    13.0.44
  • Attachments - Redirect files to disk with a custom folder not working on Core sites

    On ASP.NET Core sites, page attachments that were stored on the file system in a custom folder (configured as a virtual path in the 'Settings -> System -> Files -> Files folder' setting) were not loaded and returned a 404 Not Found error if the 'Settings -> System -> Performance -> Redirect files to disk' setting was enabled.

    13.0.44
  • Kentico Xperience 13 Refresh 3

    Hotfix 13.0.43 is the Kentico Xperience 13 Refresh 3 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.43
  • Unix/Linux - Database issues with isolated integration tests on Linux

    It was not possible to run Xperience-specific isolated integration tests (derived from the 'IsolatedIntegrationTests' class) in Linux environments due to database connection issues. The hotfix introduces a new 'CMSTestIsolatedAltConnectionString' configuration key that allows test projects to connect to databases running in Linux environments. See the hotfix instructions for details.

    13.0.42
  • Security - Screen lock not working with certain locking intervals

    The screen lock functionality did not activate if the screen lock interval was configured to a period longer than 15 minutes.

    13.0.42
  • E-mail engine - Emails stuck in the sending state in special cases

    The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.

    13.0.42
  • WYSIWYG editor - Error when replacing images added in the rich text editor code view

    If an image tag was manually inserted in the 'Code View' of the Rich text editor component, an error occurred when using the 'Replace' option for the image. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

    13.0.41
  • WYSIWYG editor - Rich text editor prevented customization of the Insert Link dialog

    The Rich text editor for the Page Builder did not allow customization of the 'Insert Link' dialog. The 'linkAttributes' toolbar option was not reflected by the system.

    13.0.41
  • MVC - Invalid 'Url.Action' and 'Html.ActionLink' link URLs on pages using templates

    Links generated by the 'Url.Action' and 'Html.ActionLink' methods on MVC sites had invalid URLs for pages that used page templates. The problem could occur if the methods were called directly in a page template view or in the code of a layout used by the page.

    13.0.41
  • User interface - Overflowing radio button or checkbox lists in the administration

    Radio button or checkbox lists in the administration interface were not styled correctly and could overflow if there was a very large number of options. For example, the problem could occur when displaying filters based on E-commerce product options.

    13.0.40
  • Sentiment analysis - Analysis not working for rich text content without HTML tags

    The sentiment analysis feature did not work in cases where all wrapping HTML tags were removed from the content of a page field based on the 'Rich text editor' form control.

    13.0.40
  • Form builder - Argument null exception when accessing the Form Builder on Linux

    The Form Builder was incorrectly configured to detect the default invariant culture when running on Linux environments. As a result, attempts to access the Form Builder interface resulted in an error in certain cases (ArgumentNullException). The issue occurred only after applying hotfix 13.0.14 or newer.

    13.0.40
  • Files - File handler errors on Core sites with certain default content cultures

    An error occurred when retrieving files using Xperience handlers on ASP.NET Core sites with certain non-English default content cultures (e.g., Arabic). For example, the issue occurred for permanent URLs of media library files based on the 'getmedia' handler, such as '/getmedia/0140bccc-9d47-41ea-94a9-ca5d35b2964c/image.jpg'.

    13.0.40
  • Attachments - Image resizing settings not applied for page attachments in certain cases

    The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded as page attachments using the 'Attachment selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.

    13.0.40
  • UI personalization - Properties > Navigation tab in the Pages application not enabled

    If the UI personalization feature was enabled, the 'Properties > Navigation' tab in the Pages application was not accessible even if the corresponding element in the UI personalization settings was allowed for a user's role.

    13.0.39
  • Media library - Image resizing settings not applied for the 'Media files selector'

    The image resizing settings configured in 'Settings > System > Files > Image resizing' were not applied to images uploaded using the 'Media files selector' or 'Rich text editor' component. For example, the problem occurred when a file was uploaded through a page builder widget property using one of the given form components.

    13.0.39
  • Form builder - Unsupported content selector options in the Rich text editor

    When the 'Rich text editor' was assigned to a property of a form component or section, the editor interface incorrectly displayed the 'Select' option for links and 'Replace' option when editing images. These options are not supported in the form builder and caused an error when clicked. After applying the hotfix, the unsupported options are hidden when the rich text editor is used within the form builder.

    13.0.39
  • A/B testing - A/B test visits logged for untracked visitors

    On instances with hotfix 13.0.25 or newer applied, A/B tests incorrectly logged visits of the tested page and conversions for visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). This could impact the conversion statistics of A/B tests in a misleading way. After applying the hotfix, visits and conversions are logged only for contacts included in the A/B test. If a visitor gives consent after viewing the tested page for the first time, visits and conversions are logged only after they revisit the page.

    13.0.39
  • Macros - Macro rules not working correctly if a parameter had '&' in its Field caption

    Macro rules didn't work correctly if they had a parameter with a 'Field caption' that contained the '&' character. When such rules were added to a condition, the condition was only saved as macro code without the rule interface. Additionally, any macro rule translators registered to optimize the rule's performance were not applied.

    13.0.38
  • Hotfix - Hotfix 13.0.37 not applied correctly

    When installing hotfix 13.0.37, certain files were incorrectly marked and detected as customized, which prevented the hotfix from fully applying changes (manual resolving of the affected code was required). Apply hotfix 13.0.38 or newer to correctly fix issues from the previous hotfix.

    13.0.38
  • API - Dependency injection not supported for page template and form component filters

    Dependency injection was not supported when developing filters for page templates or form components. After applying the hotfix, the constructor of filter classes implementing 'IPageTemplateFilter' or 'IFormComponentFilter' can have parameters (e.g., instances of services registered in the project's DI container). Such filters must be registered into the corresponding filter collection using the 'Add<FilterClassType>' method, with the filter class as the generic type parameter.

    13.0.38
  • Page builder - Certain page and form builder actions not working in the Chrome browser

    Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."

    13.0.37
  • On-line forms - 'Display text' option incorrectly subjected to HTML encoding

    When using the 'Display text' option in the 'After the form is submitted' setting on a form's 'General' tab with localized text, the entered text was incorrectly subjected to HTML encoding before being displayed on the live site (e.g., the '<' character was transformed into '&lt').

    13.0.37
  • Staging - Custom table item synchronization tasks always logged for all sites

    Staging synchronization tasks for custom table items were always logged for all sites in the system, even when the 'CMSStagingLogGlobalObjectsOnlyForAssignedSites' configuration key was enabled. After applying the hotfix, the tasks are logged only for sites to which the parent custom table of the modified item is assigned.

    13.0.35
  • Pages - Modify permissions incorrectly required for the Page and Preview tab

    The 'Edit > Page' and ' Preview' tabs of the Pages application incorrectly required the 'Modify' permission for pages (i.e., the 'Content' module or specific page types). These tabs displayed blank content for users with only 'Read' and 'Browse tree' permissions.

    13.0.35
  • Content personalization - Object and General selectors in widget personalization dialogs

    The object and general selector components with multiple item selection did not work correctly in page builder widget personalization dialogs. If one of these selectors was assigned as the editing component of a personalization condition type property, selecting a value for the property resulted in a broken personalization dialog.

    13.0.35
  • API - 'UserInfoProvider.GetUserName' method causing a null reference exception

    The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.

    13.0.35
  • WYSIWYG editor - Updated links in the Rich text editor not saved without clearing

    Editing and saving a link within the content of the Rich text editor component did not work unless the existing link was cleared beforehand. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

    13.0.34
  • WYSIWYG editor - Image links could not be typed manually in the Rich text editor

    When adding a link to images within the content of the Rich text editor component, the link URL could not be typed manually. Pasting the link or selecting an item to link worked correctly. For example, the problem occurred when editing the content of the 'Rich text' page builder widget.

    13.0.34
  • Salesforce - Salesforce lead replication did not work correctly for merged contacts

    With replication of contacts into SalesForce leads enabled, data was not correctly transferred to SalesForce for merged contacts (when a merged contact was updated or a new contact was created and merged into an existing contact). The issue also incorrectly prevented such contacts from being replicated in the future.

    13.0.34
  • Form components - Dependency injection not supported for General selector data providers

    Dependency injection was not supported when developing data provider classes that load and prepare items for the General selector component. After applying the hotfix, the constructor of data provider classes implementing 'IGeneralSelectorDataProvider' can have parameters (e.g., instances of services registered in the project's DI container).

    13.0.34
  • WYSIWYG editor - Rich text editor customizations not working

    Custom toolbar configurations for the Rich text editor were not applied when the component was used in a page builder widget. The problem occurred after applying hotfix 13.0.31 or 13.0.32 (Refresh 2).

    13.0.33
  • URL rewriting & SEO - Alternative URL redirection duplicated query string parameters

    When a page was accessed under an 'Alternative URL' with the system configured to redirect to the main page URL, any query string parameters present in the URL became duplicated (e.g., '?utm_source=xxx' transformed into '?utm_source=xxx?utm_source=xxx').

    13.0.33
  • Search - Azure search tasks for stand-alone SKUs triggered unnecessary index updates

    Azure search index update tasks generated by the system for stand-alone SKUs incorrectly contained data that could trigger an index update for a page with an identical ID as the stand-alone SKU. Such index updates were unnecessary, since stand-alone SKUs are not tied to pages and updates never lead to changes in any page objects.

    13.0.33
  • Web farms - Performance issues after scaling down servers in automatic web farms

    In hosting environments that dynamically adjust the number of instances (e.g., autoscaling in Azure App Services), deactivated web farm servers always remained in the system with the 'Not responding' status for 24 hours. This could cause performance problems and heavy database load due to large numbers of unnecessary synchronization tasks generated after scaling down the number of servers. The hotfix adds the option to adjust the interval for which web farm servers stay in the 'Not responding' status before being deleted. To change the default interval of 24 hours, set the new 'CMSWebFarmNotRespondingInterval' configuration key to the required number of minutes, e.g., '60' for 1 hour.

    13.0.32
  • Page builder - Object and General selectors broken after unselecting in multiple mode

    If a page builder component property used the object or general selector with multiple item selection, unselecting an item triggered the evaluation of visibility conditions incorrectly, which resulted in a broken state of the selector. The issue occurred only after applying hotfix 13.0.25 or newer.

    13.0.32
  • Page builder - Rich text editor content preview broken in page builder dialogs

    The 'Rich text editor' component displayed the preview of its content incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property). The issue only occurred after applying hotfix 13.0.31 (Refresh 2).

    13.0.32
  • Media library - Error when ordering the list of media library files in special cases

    When the 'CMSMediaLibraryDisplayOnlyImportedFiles' configuration key (an internal key provided via support to specific customers) was set to true, ordering the list on the 'Files' tab of the media library editing interface based on the 'Modified' column resulted in an error.

    13.0.32
  • Form controls - Calendar fields incorrectly resolving datetime macros in special cases

    If an administration form field used the 'Calendar' form control and had a visibility condition depending on another field, datetime macros placed into the field's default value were incorrectly resolved into the English (en-US) culture instead of the user's selected UI culture. This could lead to inconsistencies or date format errors. For example, if a page type field used the Calendar form control, with the '{%DateTime.Now%}' macro as the default value, the problem could occur when a user with the 'English - United Kingdom' UI culture created a new page of the given type.

    13.0.32
  • Content editing - Missing tooltip for the Sentiment analysis button

    The button for performing sentiment analysis of rich text or text area fields didn't have a tooltip (on the Content tab of the Pages application).

    13.0.32
  • Kentico Xperience 13 Refresh 2

    Hotfix 13.0.31 is the Kentico Xperience 13 Refresh 2 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.31
  • URL rewriting & SEO - Page URLs not redirected based on 'Use URLs with trailing slash'

    The 'Use URLs with trailing slash' setting for sites with content tree-based routing only applied to URLs generated for pages by the system. Page URLs with a different trailing slash state were not redirected based on the selected option.

    13.0.30
  • Page builder - Builder interface error on sites with an Administration domain alias

    On sites with a defined Administration domain alias, an error occurred when viewing parts of the administration based on virtual context URLs, for example the Preview mode of pages and the page builder or form builder interface. The issue only affected instances with hotfix 13.0.29 or newer applied.

    13.0.30
  • General - Builder interface errors after switching sites hosted on a shared application

    On instances containing multiple sites hosted on a single application with shared resources (e.g., using the same Azure Web Apps service or a shared application pool on an IIS server), switching between sites in the administration caused errors for virtual context URLs, for example when viewing pages in Preview mode, editing pages using the page builder, or editing forms in the Form builder interface.

    13.0.29
  • Security - Virtual context URL authentication update

    The hotfix updates the authentication functionality for virtual context URLs used in the administration interface when previewing or editing live site pages. The minor changes ensure a higher level of security.

    13.0.29
  • WYSIWYG editor - Rich text editor fields displayed incorrectly when disabled for editing

    Page fields based on the 'Rich text editor' form control were displayed incorrectly in cases where the field was disabled for editing. For example, the problem could occur on the 'Content' tab for pages under workflow with the 'Published' status.

    13.0.29
  • Unix/Linux - 404 errors when retrieving files from external storage

    Attempting to retrieve files hosted on external storage via Xperience handlers (e.g., 'GetAzureFile.aspx') resulted in a HTTP 404 Not Found error. This issue only occurred on ASP.NET Core applications hosted on Linux.

    13.0.27
  • URL rewriting & SEO - Former URL redirects not preserving the query string

    When using the former URLs functionality for pages on a site with content tree-based routing, the system did not preserve query string values when redirecting visitors from former URLs to the current ones.

    13.0.26
  • API - 'WithVariant' extension method for 'IPageAttachmentUrl' returned the wrong URL

    Getting URLs for image variants of page attachments by calling the 'WithVariant' extension method for 'IPageAttachmentUrl' objects did not work, and the original unmodified attachment URL was returned.

    13.0.26
  • Pages - Inconsistent page alias values in special cases

    For pages with a name longer than the maximum allowed alias length of 50 characters, the system could in certain cases generate a page alias value ending with the replacement character for forbidden URL characters (a hyphen by default). This character was removed on subsequent saves of the page, which could lead to inconsistencies, for example when staging the page to another server. After applying the hotfix, page aliases are always generated without the replacement character at the end.

    13.0.25
  • Page builder - Object and General selectors not working correctly in multiple item mode

    Page builder component properties using the object or general selector with multiple item selection triggered the evaluation of visibility conditions after the selection of the first item. As a result, it was not possible to select multiple items and the dialog did not close properly. The issue occurred only after applying hotfix 13.0.23 or newer.

    13.0.25
  • General - Obsolete 'System.Text.Json' assembly in the administration Lib folder

    The Xperience administration project contained an old version of the 'System.Text.Json' assembly in its Lib folder, which could cause assembly version conflicts. Applying the hotfix removes the obsolete assembly (the correct version is already provided via an installed NuGet package).

    13.0.25
  • A/B testing - Page variants displayed inconsistently for untracked visitors

    Pages with a running A/B test displayed variants inconsistently to visitors who had not given consent to be tracked as contacts (did not accept on-line marketing cookies). After applying the hotfix, the system assigns a page variant and stores it into the new 'CMSVarAB<name>' cookie even for visitors who are not tracked as contacts. This cookie is only used to keep content consistent and does not enable any tracking or logging of conversions.

    13.0.25
  • Pages - Changes in Rich text editor page fields not saved in special cases

    For pages under workflow with content locking enabled, fields using the 'Rich text editor' form control did not save changes in certain cases after performing a 'Check in' action. The problem occurred only if the editing form was refreshed after the changes were made in the rich text editor, for example by uploading an attachment file into a different page field.

    13.0.24
  • Microsoft Azure - Error when retrieving media files from Azure storage on Core sites

    An error occurred when retrieving media files from Azure storage on ASP.NET Core sites hosted in environments where the live site and administration applications used cultures with different date and time formatting (e.g., 'en-US' for the administration and 'cs-CZ' for the live site).

    13.0.24
  • Media library - Pages in the media file list not displaying data in special cases

    When the 'CMSMediaLibraryDisplayOnlyImportedFiles' configuration key (an internal key provided via support to specific customers) was set to true, the list on the 'Files' tab of the media library editing interface only displayed the first page of files. Any additional pages contained an empty list of files.

    13.0.24
  • Page builder - Certain editing components did not display a tooltip

    If a Tooltip was specified when assigning an editing component to a property used in the page builder, it was not displayed in the resulting property configuration dialog for certain types of editing components (e.g., selectors or Rich text).

    13.0.23
  • On-line forms - Error class not assigned to input elements of invalid form fields

    The input elements of form fields generated by the system's default 'Form' widget did not have the 'input-validation-error' class assigned when the submitted value was not valid (either due to failed validation rules or an empty value in required fields).

    13.0.23
  • General - System.Text.Encodings.Web package updated to version 4.7.2

    The hotfix updates the 'System.Text.Encodings.Web' package to version 4.7.2 for .NET Framework (MVC 5) projects.

    13.0.23
  • Page builder - Selectors not triggering visibility condition re-evaluation

    Page builder component properties using the object or general selector did not trigger evaluation of visibility conditions. When the property value was changed, the visibility conditions of other depending properties were not re-evaluated. To ensure that this functionality works properly, apply hotfix 13.0.25 or newer.

    13.0.23
  • Page builder - Object selector displayed incorrectly when focused without clicking

    The object selector for page builder components was displayed incorrectly when the field was focused without clicking, for example by using the 'Tab' key to navigate the widget properties dialog.

    13.0.22
  • Files - File and directory operations not working with UNC paths in certain cases

    File and directory operations (media file manipulation, attachment upload, etc.) sometimes resulted in an error if the manipulated resource was stored on a UNC path (e.g., \\host-name\share-name\file-path). The issue occurred only after applying hotfix 13.0.10 or newer.

    13.0.22
  • Pages - SQL search in the Pages application displayed all pages

    The search in the Pages application did not work correctly when using the '(SQL search)' option. The results always displayed all pages regardless of the search phrase.

    13.0.21
  • Localization - Incorrect culture for certain system emails

    System emails based on the 'Membership - Change password request', 'Membership - Password reset confirmation' and 'E-commerce - Automatic registration' email templates were sent with an incorrect culture in certain scenarios. Localization macros placed into the templates were resolved into a default culture (English) instead of the user's current content culture on the site.

    13.0.21
  • Caching - CacheHelper.EnsureKey API method case sensitivity

    The 'CacheHelper.EnsureKey' API method did not work correctly if the cache key parameter was not fully in lower case (the key was touched even if it was already present in the application's cache). After applying the hotfix, the cache key parameter processing is no longer case-sensitive and existing cache keys are detected correctly.

    13.0.21
  • Continuous integration - Error when restoring data after switching the routing mode

    If continuous integration was enabled and a site's 'Routing mode' setting was switched to a different option, an error could occur when restoring the updated 'Page URL path' objects to the database.

    13.0.20
  • Search - Missing 'User account for crawler' property for Pages search indexes

    The 'User account for crawler' property was not displayed when editing smart search indexes of the 'Pages' type (for both Local and Azure indexes). The issue affected instances with hotfix 13.0.16 (Refresh 1) or newer applied.

    13.0.19
  • Page types - Missing default images for page type icons

    When editing a page type in the Page types application on the General tab, the default 'Small icon' and 'Large icon' images displayed after switching the 'Page type icon' property to 'Images' mode were missing.

    13.0.19
  • ASP.NET Core - Automated test errors in projects targeting .NET Core 5

    Automated tests created using the 'Kentico.Xperience.Libraries.Tests' NuGet package did not work in projects targeting ASP.NET Core 5. Running tests inheriting from the provided base classes, such as 'CMS.Tests.UnitTests', resulted in an error.

    13.0.19
  • Web farms - Web farm task processing stuck in certain cases

    In rare cases, web farm task execution became stuck due to a deadlock that occurred during cache invalidation. This caused synchronization issues between the administration and live site applications.

    13.0.18
  • Pages - Missing template selection for pages representing products

    The system did not display the page template selection dialog when creating new pages in the Pages or Products application for page types representing a product (when at least one page template was registered for these product page types).

    13.0.18
  • Page builder - EditableAreaAsync error when called without 'EditableAreaOptions'

    An error occurred when adding page builder editable areas to views on an ASP.NET Core site via the 'EditableAreaAsync' extension method, if the 'EditableAreaOptions' parameter was not specified. The issue occurred only after applying hotfix 13.0.16 (Refresh 1).

    13.0.18
  • Localization - Requirements to select an existing resource string in localization dialogs

    When localizing text fields in the administration's 'Localize field' dialog, the 'Use existing resource key' option was only available for users with the Global administrator privilege level. After applying the hotfix, the option can also be used by editors with the 'Localize strings' permission for the 'Localization' module.

    13.0.18
  • Licensing - Error when changing a site's default content culture with a Free license

    For sites running under a Free edition license, attempting to change the 'Default content culture' on the General tab of the site editing interface resulted in an unhandled error.

    13.0.18
  • Email marketing - Marketing email browser links not working when shared on Facebook

    URLs generated by the 'ViewInBrowserUrl' macro that allow recipients to view marketing emails in a browser did not work when shared on certain external platforms, for example Facebook or Facebook Messenger. Opening the URL resulted in an "Access denied" error.

    13.0.18
  • Caching - Widgets with enabled output caching causing errors on Core sites

    If a page builder widget on an ASP.NET Core site had output caching enabled (using the 'AllowCache' property of the 'RegisterWidget' attribute), and the widget's implementation was not based on a view component, an error occurred when rendering the widget in an editable area that allowed caching.

    13.0.18
  • API - Unit testing of page template filters

    Automated unit testing of page template filters was not possible due to internal API. Applying the hotfix makes the constructors of the 'PageTemplateDefinition' and 'PageTemplateFilterContext' classes public.

    13.0.18
  • URL rewriting & SEO - Page type 'URL pattern' values without a starting slash

    On sites that used 'Custom' routing mode, setting values without a starting slash ('/') for the 'URL pattern' of page types resulted in invalid URLs for the given pages. For example, such URLs could cause errors in the administration's page selectors. After applying the hotfix, the system automatically processes URL patterns with a starting slash if one is missing in the entered value.

    13.0.17
  • Page types - Page type image icons not displayed on the General tab

    When editing a page type in the Page types application on the General tab, the 'Page type icon' property was always initially displayed in 'Font icon class' mode, even if the 'Images' mode was previously selected and an image file was uploaded. This could cause users to unintentionally overwrite the icon when saving the page type properties.

    13.0.17
  • Page builder - Page builder issues when configuring the 'LogLevel' of 'KenticoEventLog'

    Setting the logging verbosity ('LogLevel' property) for the 'KenticoEventLog' application logger in ASP.NET Core projects to anything lower than 'Warning' (i.e., 'Trace,' 'Debug,' or 'Information') lead to errors when editing pages in the page builder interface.

    13.0.17
  • Kentico Xperience 13 Refresh 1

    Hotfix 13.0.16 is the Kentico Xperience 13 Refresh 1 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes linked at the top of this section.

    13.0.16
  • URL rewriting & SEO - 404 error when accessing certain administration URLs

    In certain cases, the system incorrectly returned a 404 (Not Found) error when attempting to access administration URLs ending with an extension (e.g., custom '.aspx' handlers or UI templates). The issue occurred only after applying hotfix 13.0.10 or newer.

    13.0.15
  • Page builder - Unnecessary reloads of forms in page builder dialogs while typing

    Typing in fields within page builder properties dialogs triggered unnecessary reloads of the editing form. This could cause loss of entered text characters and other user experience issues, particularly in the case of slower connections.

    13.0.14
  • Localization - Page and form builder UI text not resolved correctly on Core sites

    If a different UI culture than English ('en-US') was selected for the administration on an ASP.NET Core site, text within the page and form builder interface was not resolved correctly in certain cases.

    13.0.14
  • General - Assemblies not using a fixed patch version number

    The Xperience assemblies incorrectly used the specific hotfix number in their patch version, for example '13.0.10'. This could lead to compatibility problems for referencing custom assemblies and require generating of unwanted binding redirects. After applying the hotfix, the assembly version is fixed as '13.0.13', including future hotfixes.

    13.0.14
  • General - Locked zip files blocking administration application deployment

    The system incorrectly handled locking of zip files (for example the '\App_Themes\Default\Images\Images.zip' package), which could block certain deployment scenarios for the administration application.

    13.0.14
  • Email marketing - Unsupported 'Email' macros displayed for certain email template types

    The macro tree and autocomplete help incorrectly offered macros under the 'Email' entity, even when editing marketing email templates of a type other than 'Email' (Subscription, Unsubscription, Double opt-in). Such macros only resolve in the content of marketing emails based on templates of the 'Email' type, and are hidden for other templates after applying the hotfix.

    13.0.13
  • Cultures - Error when changing the culture in the Pages application

    Switching the culture in the Pages application caused an error if the selected culture used a Presentation URL with a different domain. The problem occurred on multilingual sites where the 'URL format for multilingual sites' setting was set to 'Domain', and a matching 'Visitor culture' was assigned to one of the site's domain aliases.

    13.0.13
  • Form components - Options with empty values disappearing from selector form components

    If a selector form component, for example 'Radio buttons', 'Drop-down list' or 'Multiple choice', was assigned in the code of a form field using the 'EditingComponent' attribute and one of its 'DataSource' options had an empty value, e.g., ";(none)", this option was not displayed after the resulting form was refreshed, for example when the form evaluated a visibility condition. The issue only occurred on ASP.NET Core sites.

    13.0.12
  • User interface - Calendar selector background styling issues

    The calendar date and time selector in the administration interface was displayed with incorrect background styling when used to select a time range between two dates (for example when the 'From' and 'To' selector was opened above Web analytics report graphs).

    13.0.11
  • Unix/Linux - Filesystem handling fixes for Core applications on Linux

    The hotfix addresses a number of filesystem-related issues encountered when hosting ASP.NET Core live site applications in Linux environments. The issues were primarily caused by a dependency on Windows-like filesystem conventions, so mostly impacted features reliant on Input/Output operations. The following is a non-exhaustive list of affected features: media library operations (insert, modify, delete), smart search (running indexing tasks, index rebuilds), web farm synchronization, scheduler functionality run on the live site. See the hotfix instructions for more information.

    13.0.10
  • Unix/Linux - Errors when rendering resized images on Linux

    When accessing pages that contained resized images (e.g., from media libraries), it was possible to encounter 'System.ArgumentException: Parameter is not valid' errors when rendering certain resized images. This issue only affected Linux deployments of ASP.NET Core projects.

    13.0.10
  • Search - Search configuration only available for page types with the URL feature

    The 'Search fields' tab in the Page type editing interface was only available for page types that had the 'URL' feature enabled. After applying the hotfix, the search configuration is displayed for all page types that have either custom fields or the 'URL' feature. The change allows searching for page items that hold content, but do not need their own URL.

    13.0.10
  • Page builder - Resources containing special characters not loaded

    Files or other resources containing a special character in their name were not loaded correctly when viewing content within the page builder interface, preview mode or the form builder in certain cases. The system incorrectly calculated the hash for the resource's URL. For example, the problem could affect files with special characters in their name added through a page builder widget using the media selector dialog.

    13.0.10
  • Page builder - New line causing unwanted page scrolling in the Rich text editor

    If long content (multiple paragraphs) was entered into the Rich text editor for the page builder, adding a new line caused the page to scroll down to the bottom of the widget content. The hotfix resolves the issue by updating the used Froala editor to version 3.2.6.

    13.0.10
  • Page builder - Incorrect styling of radio buttons in page builder dialogs

    The 'Radio buttons' form component was styled and displayed incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property).

    13.0.10
  • Page builder - Custom plugins for the rich text editor were ignored

    Custom plugins registered for the Rich text editor page builder component were ignored due to incorrect initialization.

    13.0.10
  • Cultures - Culture selector missing options on sites with a large number of cultures

    The culture selector in the Pages application did not display all options on sites with more than 13 assigned cultures.

    13.0.10
  • On-line forms - Maximum length of the 'DB table name' not validated when cloning forms

    When cloning forms, the maximum length of the new form's 'DB table name' was not validated correctly and allowed values that were too long. This could lead to inconsistencies with the resulting form.

    13.0.9
  • Media library - Error when creating media libraries after applying hotfix 13.0.4

    An error occurred when creating a new media library after applying hotfix 13.0.4 or newer. The problem was caused by incorrectly signed macros, and can be fixed by applying hotfix 13.0.9, or alternatively by re-signing macros in the system.

    13.0.9
  • E-commerce - Incorrect product quantities in bundles added via Buy X Get Y discounts

    If a product bundle was automatically added to a customer's shopping cart as part of a 'Buy X Get Y' discount, the system incorrectly inserted two of each item included in the bundle.

    13.0.9
  • Marketing automation - Process stuck on If/Else steps when using Time-based triggers

    When a marketing automation process was automatically initiated by a trigger of the 'Time-based' type, contacts going through an 'If/Else' step got stuck even though they met the step's condition. The process remained in the 'Pending' state for the contact and could not finish.

    13.0.8
  • Hotfix - New installations not working after hotfixing the setup files

    Applying a previous version 13 hotfix to the Kentico Xperience setup files added incorrect versions of certain installation files and templates. As a result, new projects created using the hotfixed installer had an invalid database and did not work correctly To fix the problem, you need to apply hotfix 13.0.8 or newer to the setup files.

    13.0.8
  • Data engine - Error when reordering global objects after applying hotfix 13.0.7

    Changing the order of certain global objects resulted in an error after applying hotfix 13.0.7. For example, the issue could affect custom object types or custom tables with an order column.

    13.0.8
  • General - Unnecessary initialization of IDataProtectionProvider on app startup

    On ASP.NET Core sites, an instance of the 'IDataProtectionProvider' service was always required on application startup. This could cause slower application start and errors when developing isolated integration tests if a mock instance of this service was not created for every test.

    13.0.7
  • Data engine - Error when updating the order of objects stored in a non-default database

    If a custom object type was stored outside of the default database (e.g., in a separated database for on-line marketing data), the system used an incorrect database connection when updating the order or ID path for the given objects, resulting in an error. For example, the problem occurred when displaying such objects in the administration using the UniGrid control and attempting to change the order of objects.

    13.0.7
  • Search - Pages crawler index incorrectly reusing connections on HTTPS sites

    Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.

    13.0.6
  • Page builder - Incorrectly displayed warnings about blocked 3rd party domain cookies

    The cookie level of the system's 'KenticoCookiePolicyTest' cookie (used to detect the 3rd party domain blocking policy of a browser) was too high. This could result in incorrectly displayed error messages in the Xperience administration, e.g. in the page builder interface.

    13.0.6
  • General - Administration project not working after applying hotfix 13.0.4

    Applying hotfix 13.0.4 caused errors in the administration application and prevented the project from compiling.

    13.0.5
  • Media library - Adding media files to content with direct file path URLs

    The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage, such as Microsoft Azure Blob storage. The option can be configured when editing individual media libraries on the 'General' tab. The configured URL format applies when adding links to media files in the rich text editor (using the page builder widget or when editing rich text page fields) and via page fields based on the 'Media selection' form control.

    13.0.5
  • Pages - Certain characters in URL slugs caused pages to become inaccessible

    If certain characters (for example a ` grave accent) were used in the 'URL slug' of a page, the value could no longer be changed and an error occurred when viewing the page in the administration interface and on the live site.

    13.0.5
  • Search - Page updates not reflected in Azure search indexes

    Azure search indexes of the 'Pages' or 'Pages crawler' type did not update after a page included in the index was updated (and a corresponding search task was processed).

    13.0.5
  • Users - Memberships from other sites cleared when editing in the 'Users' application

    Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.

    13.0.5
  • Search - 'Enable smart search indexing' changes only reflected after application restart

    Changes made to the 'Enable smart search indexing' setting ('Settings' application -> System -> Search) were only reflected after application restart.

    13.0.3
  • Pages - Secured pages did not redirect to the sign-in page on Core sites

    On ASP.NET Core sites that used content tree-based routing, pages configured to require authentication did not redirect public visitors to the site's sign-in page. The 401 Unauthorized response was returned instead.

    13.0.3
  • Page builder - Mouse button events not propagated in properties dialogs

    The properties dialog in the page builder interface prevented 'mouseup' and 'mousedown' button events from propagating. As a result, any form components that registered listeners for such events did not work correctly in the dialog when assigned to properties.

    13.0.3
  • Page builder - Filtering not working in the 'Media files selector' dialog

    The search in the 'Media files selector' dialog for page builder components did not work in certain browsers (for example Firefox), and the displayed media files were not filtered.

    13.0.3
  • Localization - Errors when localizing projects targeting .NET Core 5

    Localization (e.g., via the system's ResHelper class) did not work and resulted in an error in projects targeting .NET Core 5.

    13.0.3
  • Files - Malformed links to static files under preview mode on Core sites

    On ASP.NET Core sites, the system generated malformed links to static files displayed under preview mode (in the 'Pages' application or when viewed via a generated preview URL). The issue occurred only for files placed outside the application's web root (/wwwroot folder). Most commonly affected were media library files, which are by default stored in a dedicated site folder outside the application's web root.

    13.0.3
  • Import/Export - 'Rebuild site search indexes' option in the import wizard

    Disabling the 'Rebuild site search indexes' option in the 'Objects selection' step of the import wizard did not work correctly, and the option always persisted as enabled after switching to a different object category.

    13.0.2
  • E-mail engine - Unresolved relative URLs in emails sent from the administration

    Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form in certain cases.

    13.0.2
  • Email marketing - New introduction video for Email marketing

    Added a tip box with an introduction video for the 'Email marketing' application.

    13.0.1
  • E-mail engine - Modify permission incorrectly required to refresh the email queue

    The 'Email queue' application incorrectly required the 'Modify email queue' permission to 'Refresh' the queue. After applying the hotfix, the 'Read email queue' permission is sufficient to refresh the queue.

    13.0.1
  • Security bugsFixed in version
  • Update of third-party dependencies  Important

    Description

    The hotfix updates several third-party dependencies of page and form builder scripts to newer versions that address vulnerabilities.

    Details

    Issue type:
    Update of third-party dependencies
    Security risk:
    Important
    Found in version:
    13.0.167 and lower
    Fixed in version:
    13.0.168
    Fixed date:
    11/28/2024
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.168
  • Users unable to set 'secure' flag for administration cookies via web.config  Moderate

    Description

    The 'requireSSL' attribute on the 'httpCookies' web.config element was not reflected when setting cookies via 'CookieHelper.SetValue'. Instead, SSL was always disabled unless explicitly forced via the optional 'secure' parameter of the 'SetValue' method. The hotfix introduces a number of functional changes to the 'SetValue' method to correct this issue. Only .NET Framework projects are affected. See the hotfix instructions in the documentation for details.

    Details

    Issue type:
    Cookie configuration
    Security risk:
    Moderate
    Found in version:
    13.0.164 and lower
    Fixed in version:
    13.0.165
    Fixed date:
    10/10/2024
    Reported by:
    Crafted Media Ltd.

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.165
  • Stored XSS in the Rich text editor component  Important

    Description

    The rich text editor component for the page and form builder was vulnerable to cross-site scripting attacks (XSS). To eliminate this vulnerability, entered URIs are validated and can contain only allowed schemes.

    Details

    Issue type:
    Cross Site Scripting
    Security risk:
    Important
    Found in version:
    13.0.162 and lower
    Fixed in version:
    13.0.163
    Fixed date:
    9/12/2024
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.163
  • Reflected XSS in the Pages dashboard widget  Moderate

    Description

    The configuration dialog of the ‘Pages’ administration dashboard widget was vulnerable to reflected cross-site scripting attacks. To eliminate this vulnerability, all configuration values are now properly encoded.

    Details

    Issue type:
    Reflected cross-site scripting
    Security risk:
    Moderate
    Found in version:
    13.0.160 and bellow
    Fixed in version:
    13.0.161
    Fixed date:
    8/29/2024
    Reported by:
    Bank of Ayudhya

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.161
  • Allowed admin hostnames disclosed via public endpoint  Moderate

    Description

    The list of allowed administration interface hostnames sent during authentication was disclosed to public users. After applying the hotfix, hostnames are no longer accessible.

    Details

    Issue type:
    Information disclosure
    Security risk:
    Moderate
    Found in version:
    13.0.159 and lower
    Fixed in version:
    13.0.160
    Fixed date:
    8/22/2024
    Reported by:
    Bank of Ayudhya

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.160
  • Stored XSS in Form validation  Important

    Description

    Form validation rule configuration was vulnerable to stored Cross-Site-Scripting attacks. To eliminate this vulnerability, validation message is now properly encoded.

    Details

    Issue type:
    Stored XSS
    Security risk:
    Important
    Found in version:
    13.0.159 and lower
    Fixed in version:
    13.0.160
    Fixed date:
    8/22/2024
    Reported by:
    Bluesoft

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.160
  • Stored XSS in shipping options configuration  Moderate

    Description

    This vulnerability was caused by the ability to enter malicious code into the configuration of shipping options. This could lead to cross-site scripting attacks resulting in potential theft of sensitive data. To correct this issue, support for HTML markup in the shipping options configured was removed.

    Details

    Issue type:
    Cross-site-scripting (XSS)
    Security risk:
    Moderate
    Found in version:
    13.0.158 and lower
    Fixed in version:
    13.0.160
    Fixed date:
    8/22/2024
    Reported by:
    Bluesoft

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.160
  • Stored XSS in Checkbox form component  Moderate

    Description

    The Checkbox component in form builder was vulnerable to Cross-Site-Scripting attack (XSS). To eliminate this vulnerability, support for HTML in Checkbox component was removed.

    Details

    Issue type:
    Cross-site scripting (XSS)
    Security risk:
    Moderate
    Found in version:
    13.0.158 and lower
    Fixed in version:
    13.0.159
    Fixed date:
    8/15/2024
    Reported by:
    Bluesoft

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.159
  • Stored XSS in avatar upload feature  Moderate

    Description

    This vulnerability was caused by the file uploader that did not check the configuration of allowed extensions which could potentially lead to Cross-Site-Scripting attack (XSS). We fixed this issue by adding a check for extension of uploaded file, which effectively eliminated possibility of XSS.

    Details

    Issue type:
    Cross-site scripting (XSS)
    Security risk:
    Moderate
    Found in version:
    13.0.158 and lower
    Fixed in version:
    13.0.159
    Fixed date:
    8/15/2024
    Reported by:
    Bluesoft

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.159
  • 'System.Security.Cryptography.Pkcs' NuGet package update  Important

    Description

    The hotfix updates the 'System.Security.Cryptography.Pkcs' NuGet package dependency to version 8.0.0.

    Details

    Issue type:
    3rd party vulnerability
    Security risk:
    Important
    Found in version:
    13.0.152
    Fixed in version:
    13.0.153
    Fixed date:
    6/20/2024
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.153
  • Reflected XSS in the administration interface  Moderate

    Description

    A certain page in the administration interface was vulnerable to reflected XSS attacks. The vulnerability could only be exploited by authenticated users.

    Details

    Issue type:
    Reflected XSS
    Security risk:
    Moderate
    Found in version:
    13.0.120 and lower
    Fixed in version:
    13.0.121
    Fixed date:
    8/24/2023
    Reported by:
    James Taylor | Cantarus

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.121
  • Stored XSS in the Localization application  Moderate

    Description

    It was possible to inject a malicious payload using the Localization application, which could affect several parts of the administration interface. By default, only users with the Global Administrator privilege could successfully execute the attack.

    Details

    Issue type:
    Stored XSS
    Security risk:
    Moderate
    Found in version:
    13.0.101
    Fixed in version:
    13.0.112
    Fixed date:
    5/25/2023
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.112
  • Reflected XSS in preview URLs  Moderate

    Description

    Page preview URLs were vulnerable to reflected XSS attacks due to improper processing. The vulnerability was exploitable only by authenticated users.

    Details

    Issue type:
    Reflected XSS
    Security risk:
    Moderate
    Found in version:
    13.0.109 and lower
    Fixed in version:
    13.0.110
    Fixed date:
    5/11/2023
    Reported by:
    POP

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.110
  • Update of third-party dependencies  Important

    Description

    The hotfix updates several third-party dependencies used by the system to later versions. See the hotfix instructions for the full list.

    Details

    Issue type:
    Update of Third Party Software Dependencies
    Security risk:
    Important
    Found in version:
    13.0.103
    Fixed in version:
    13.0.110
    Fixed date:
    5/11/2023
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.110
  • Information disclosure after a failed file upload  Informative

    Description

    When specific conditions were met, and the server could not save an uploaded file (e.g., attachment, media library file), the displayed error message might have contained the filesystem path. After applying the hotfix, only a generic error message is displayed to the user. The full error with detailed information is logged to the event log.

    Details

    Issue type:
    Information disclosure
    Security risk:
    Informative
    Found in version:
    13.0.98 and lower
    Fixed in version:
    13.0.99
    Fixed date:
    1/26/2023
    Reported by:
    Customer

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.99
  • Stored XSS in 'Localization' application  Moderate

    Description

    The listing of resource strings in the ‘Localization’ application was vulnerable to stored XSS attacks.

    Details

    Issue type:
    Stored XSS
    Security risk:
    Moderate
    Found in version:
    13.0.98 and lower
    Fixed in version:
    13.0.99
    Fixed date:
    1/26/2023
    Reported by:
    Customer

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.99
  • Update of System.Data.SqlClient library  Moderate

    Description

    Due to an information disclosure issue in the 'System.Data.SqlClient' library ([https://github.com/advisories/GHSA-8g2p-5pqh-5jmc),|https://github.com/advisories/GHSA-8g2p-5pqh-5jmc),|smart-link] this dependency in the product was updated to version 4.8.5. The 'System.Security.Permissions' and 'System.Security.AccessControl' NuGet packages are no longer needed by the CMSApp project, and we recommend uninstalling them from the project if no custom code depends on them.

    Details

    Issue type:
    Information disclosure
    Security risk:
    Moderate
    Found in version:
    13.0.92 and lower
    Fixed in version:
    13.0.98
    Fixed date:
    1/19/2023
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.98
  • Stored XSS through email templates  Moderate

    Description

    Administration users were able to inject stored XSS via email marketing templates.

    Details

    Issue type:
    Stored XSS
    Security risk:
    Moderate
    Found in version:
    13.0.92 and lower
    Fixed in version:
    13.0.93
    Fixed date:
    12/7/2022
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.93
  • Reflected XSS in the Rich text editor component  Moderate

    Description

    Administration input fields using the Rich text editor component were vulnerable to reflected XSS attacks.

    Details

    Issue type:
    Reflected XSS
    Security risk:
    Moderate
    Found in version:
    13.0.88
    Fixed in version:
    13.0.89
    Fixed date:
    11/4/2022
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.89
  • CRLF Injection on page redirection  Moderate

    Description

    The routing engine was vulnerable to CRLF Injection when performing redirects due to improper encoding of the URL query string.

    Details

    Issue type:
    CRLF Injection
    Security risk:
    Moderate
    Found in version:
    13.0.79
    Fixed in version:
    13.0.80
    Fixed date:
    9/2/2022
    Reported by:
    Tom Waldman

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.80
  • Cross-site scripting via form configuration  Moderate

    Description

    The ‘After the form is submitted > Redirect to URL' configuration for forms in the Xperience administration didn’t properly validate input. This could lead to cross-site scripting attacks.

    Details

    Issue type:
    Cross-site scripting
    Security risk:
    Moderate
    Found in version:
    13.0.74
    Fixed in version:
    13.0.75
    Fixed date:
    6/24/2022
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.75
  • HTML injection in Form emails  Moderate

    Description

    When a user submitted a form on the live site with a malicious HTML value, the form’s notification and autoresponder emails didn’t encode these values. That could lead to potential HTML injection if the recipient’s email client was configured to display HTML content. The hotfix introduces a new ‘CMSBizFormMailEncodeFields’ configuration key, which you can add to the project’s appsettings.json or web.config file. If set to true, autoresponder and notification emails encode the values of the submitted form’s fields. Add the key to both your live site and administration projects.

    Details

    Issue type:
    HTML injection
    Security risk:
    Moderate
    Found in version:
    13.0.71 and lower
    Fixed in version:
    13.0.72
    Fixed date:
    6/2/2022
    Reported by:
    Liam Goldfinch (NetConstruct)

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.72
  • Denial of service caused by improper input validation  Important

    Description

    A specially crafted request sent to the GetResource handler may have been used to launch a denial-of-service attack. The vulnerability was fixed via input validation.

    Details

    Issue type:
    Denial of Service
    Security risk:
    Important
    Found in version:
    13.0.65 and lower
    Fixed in version:
    13.0.66
    Fixed date:
    4/8/2022
    Reported by:
    Riccardo Cardelli

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.66
  • Administrators able to export Global administrator users  Moderate

    Description

    Users with the 'Administrator' privilege level were able to send requests that exported data about other users with the higher 'Global administrator' privilege level (this was not possible directly in the user interface). The export may have contained all user data stored in the database.

    Details

    Issue type:
    Missing access control
    Security risk:
    Moderate
    Found in version:
    13.0.65 and lower
    Fixed in version:
    13.0.66
    Fixed date:
    4/8/2022
    Reported by:
    Gabor Szivos (A1 Digital)

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.66
  • Cross-site scripting via file upload  Important

    Description

    Stored cross-site scripting could occur if a user uploaded a malicious XML file as a page attachment or metafile.

    Details

    Issue type:
    XSS
    Security risk:
    Important
    Found in version:
    13.0.56 and lower
    Fixed in version:
    13.0.57
    Fixed date:
    1/7/2022
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.57
  • Cross-site scripting via file upload in media libraries  Important

    Description

    Stored cross-site scripting occurred if a user uploaded a malicious XML file into a media library.

    Details

    Issue type:
    Stored cross-site scripting
    Security risk:
    Important
    Found in version:
    13.0.54 and lower
    Fixed in version:
    13.0.55
    Fixed date:
    12/10/2021
    Reported by:
    External security researcher

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.55
  • SQL injection in certain macros  Critical

    Description

    Certain online marketing macro methods contained an SQL injection vulnerability that could be abused by authenticated editors in the administration interface. Adding a malicious SQL query as a macro method parameter could allow unauthorized access to data or modifications in the database.

    Details

    Issue type:
    SQL injection
    Security risk:
    Critical
    Found in version:
    13.0.52 and lower
    Fixed in version:
    13.0.53
    Fixed date:
    11/26/2021
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.53
  • Flawed MIME type validation for uploaded files  Important

    Description

    Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.

    Details

    Issue type:
    Stored XSS through file uploader with spoofed Content-Type
    Security risk:
    Important
    Found in version:
    13.0 - 13.0.43
    Fixed in version:
    13.0.44
    Fixed date:
    9/17/2021
    Reported by:
    AppCheck Ltd

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.44
  • Self Cross-site scripting when submitting forms  Informative

    Description

    A cross-site scripting vulnerability was present when submitting form data using the Form widget or on the Recorded data tab in the administration. Only the users submitting the form were affected by this vulnerability, therefore it is classified as self-XSS.

    Details

    Issue type:
    Cross-site scripting
    Security risk:
    Informative
    Found in version:
    13.0
    Fixed in version:
    13.0.27
    Fixed date:
    5/28/2021
    Reported by:
    Bluesoft

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    13.0.27

Hotfixes for 12.x

Fixed Bugs   Security Bugs
  • Bug DescriptionFixed in version
  • E-mail engine - New API for SMTP client configuration

    The hotfix introduces new 'CMS.EmailEngine.ISmtpClientFactory' API that enables developers to modify the configuration of the system's SMTP client. This API is primarily intended for advanced environments with specific requirements.

    12.0.102
  • E-mail engine - OAuth support for email servers

    Many email services are deprecating support of basic authentication via a username and password (for example Microsoft Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3). By default, the system includes an OAuth provider for Microsoft Exchange Online - other services require implementation of a custom provider. The hotfix adds the 'MailKit 3.1.1' NuGet package to both the administration and live site projects, which may cause conflicts if your projects contain custom functionality using other versions of this package. See the hotfix instructions for details.

    12.0.101
  • Security - Bootstrap JavaScript library updated to v3.4.1

    The Bootstrap JavaScript library used in the administration interface was updated to v3.4.1 due to security vulnerabilities contained in the previous version.

    12.0.100
  • Contact management - Performance of contact mass actions with a separated database

    If the application had a separated database for on-line marketing data, running mass actions for contacts in the 'Contact groups' or 'Scoring' application caused the system to generate large and ineffective queries. This could lead to performance issues on sites with a large number of contacts, for example after starting an automation process for all contacts in a group.

    12.0.100
  • Form components - reCAPTCHA validation could be bypassed

    Form validation provided by the 'reCAPTCHA' form component on MVC sites could be bypassed in certain scenarios.

    12.0.99
  • E-commerce - 'Buy X Get Y' discount performance

    The hotfix improves the performance of 'Buy X Get Y' discounts with buy conditions based on product sections. The evaluation of such discounts was slow for shopping carts containing a large number of products.

    12.0.98
  • Search - Not possible to configure Azure Search service hosting domain

    It was not possible to change the domain name suffix of requests generated by the system for Azure search services (e.g., 'myazuresearchservice.search.windows.net'). The majority of commercial search services are hosted on the 'search.windows.net' domain. However, certain Azure subscription types, such as Azure Government, host search services under different domains. The hotfix introduces a new 'CMSAzureSearchDnsSuffix' configuration key that allows you to specify the domain where your search services are hosted, overriding the default system behavior. See the hotfix instructions for details.

    12.0.97
  • Page builder - Saving large page builder configurations could fail

    Saving a page with a large amount of page builder content could fail in certain cases. The problem was caused by deadlocks that could occur when saving large page builder configurations due to incorrect processing of asynchronous requests.

    12.0.96
  • Form builder - Form component selection dialog displayed incorrectly in long forms

    The form component selection dialog in the form builder interface was positioned incorrectly when adding fields to very long forms that required scrolling.

    12.0.96
  • E-mail engine - Emails stuck in the sending state in special cases

    The system stopped sending emails in rare cases when an SMTP server did not return any response. Emails remained stuck in the email queue with the 'Sending' state. On instances with only one SMTP server configured, this scenario could fully block sending of emails.

    12.0.96
  • E-commerce - 'Remove from inventory' value not saved when creating new bundle products

    When creating new products representing a 'Bundle', the 'Remove from inventory' property was always saved with the 'Remove bundle only' value, even if a different option was selected.

    12.0.96
  • Page builder - Certain page and form builder actions not working in the Chrome browser

    Actions in the page builder and form builder interface that opened confirmation dialogs did not work when using version 92.0.4515 or newer of the Chrome browser. For example, the problem occurred when deleting widgets and sections, or after canceling changes in a properties dialog. The following error was logged into the browser console: "A different origin subframe tried to create a javascript dialogue. This is no longer allowed and was blocked."

    12.0.95
  • API - 'UserInfoProvider.GetUserName' method causing a null reference exception

    The 'UserInfoProvider.GetUserName' method could cause a null reference exception in certain scenarios where the processed user did not exist. This could lead to errors when calling user-related API in custom code, for example the 'UserRoleInfoProvider.DeleteUserRoleInfo' method.

    12.0.95
  • Event management - Emails to event attendees not sending correctly

    Sending of emails to an event's attendees on the 'Send email' tab in the Events application did not work correctly. In certain cases, emails were not generated for all of the event's attendees and errors could occur.

    12.0.94
  • Localization - Incorrect culture for certain system emails

    System emails based on the 'Membership - Change password request', 'Membership - Password reset confirmation' and 'E-commerce - Automatic registration' email templates were sent with an incorrect culture in certain scenarios. Localization macros placed into the templates were resolved into a default culture (English) instead of the user's current content culture on the site.

    12.0.93
  • Users - Memberships from other sites cleared when editing in the 'Users' application

    Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.

    12.0.92
  • Search - Pages crawler index incorrectly reusing connections on HTTPS sites

    Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.

    12.0.92
  • E-mail engine - Unresolved relative URLs in emails sent from the administration

    Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form correctly. For example, this could result in broken links to pages on Portal Engine sites. The issue occurred only after applying hotfix 12.0.79 or newer.

    12.0.92
  • Import/Export - Incorrect behavior after importing the same site multiple times

    When the same site was imported more than once to the same instance, the site root pages had the same values in the 'DocumentWorkflowCycleGUID' field, which could lead to errors and incorrect behavior. For example, creating new pages could result in page template retrieval errors. Applying the hotfix ensures unique GUID values for future imports, but does not fix existing sites with this issue.

    12.0.91
  • Form controls - CSS classes lost on postback for 'HTML5 input' fields

    Form fields on Portal Engine sites using the 'HTML5 input' form control lost CSS classes assigned through the field 'CSS styles' properties when a postback occurred on the page (for example after the form was submitted and validation failed).

    12.0.91
  • Page builder - Media files selector folder tree design

    The folder tree area of the 'Media files selector' dialog for page builder components was too narrow, which could make it hard to read long or nested media folder names. The hotfix updates the design of the dialog to improve visibility in the folder tree.

    12.0.90
  • Facebook integration - Changes in Facebook permissions

    Due to changes in the Facebook API and related permissions, the functionality for publishing content to Facebook pages may stop working. To use the feature, you need to apply the hotfix and manually update your Facebook app. Ensure that your app has the 'pages_manage_posts', 'pages_read_user_content' and 'read_insights' permissions, upgrade the Facebook API Version to 'v8.0', and generate a new page access token for your Facebook app in Kentico.

    12.0.90
  • Marketing automation - Processes stuck on Wait steps

    Marketing automation processes could get stuck on 'Wait' steps and licensing errors were logged. The problem occurred in cases where the background scheduled task handling the wait step was executed in the context of a site with a license edition lower than EMS (on instances with multiple sites using different license editions).

    12.0.89
  • E-mail engine - Timeout when cleaning archived emails with attachments

    Cleaning of archived emails with attachment files was inefficient, and could potentially lead to timeout issues if the database contained a large number of archived emails with an attachment.

    12.0.89
  • E-commerce - PayPal payment error in certain gift card scenarios

    Payments using the default PayPal provider resulted in a validation error if the order used a gift card with a value higher than the total price of all purchased items (only applies to cases where payment was still necessary after calculating the order's final price with shipping and tax).

    12.0.89
  • Licensing - License limitation errors for MVC sites on Small Business licenses

    Running an MVC site with the Small Business license edition resulted in license limitation errors. After applying the hotfix, Small Business licenses support web farm synchronization and the errors no longer occur.

    12.0.88
  • Staging - Binary data of meta files not synchronized when stored on the file system

    If the system was configured to store file binary data on the file system, staging tasks did not synchronize these files for object-related meta files. For example, the problem could affect product images assigned to SKUs.

    12.0.87
  • Form controls - Incorrect reCAPTCHA culture

    The 'reCAPTCHA' form control and MVC form component only processed the current content culture as a 2 character ISO code, which could cause the reCAPTCHA to display in the incorrect culture. For example, the problem could occur on sites using the 'zh-HK' Chinese culture, which displayed the reCAPTCHA in the 'zh-CN' culture instead.

    12.0.86
  • Staging - Relationships between pages on different sites not synchronized

    Page update staging tasks generated after adding or modifying a related page from another site did not synchronize the relationship change to target servers. After applying the hotfix, staging supports synchronization of relationships between pages on different sites.

    12.0.85
  • General export - Error when exporting email marketing link click data

    An error occurred when using the Advanced export feature for email marketing link click statistics with the 'Export raw database data' option enabled and all data columns selected.

    12.0.85
  • Web analytics - Invalid exit page candidate data breaks analytics log processing

    If a web analytics log file for exit page candidates contained invalid or malformed data, processing failed and prevented logging of all web analytics statistics. After applying the hotfix, such files are deleted and processing of other analytics logs continues.

    12.0.84
  • Page types - Error when rolling back parent page types

    An error occurred when rolling back to a previous version of a page type with one or more child page types (i.e. page types that inherit fields).

    12.0.84
  • Reporting - Printing of reports not working with Base or lower license editions

    The 'Print' functionality in the Reporting application did not work on sites with the 'Kentico CMS Base' or lower license editions.

    12.0.83
  • Page builder - Unable to load page builder for certain pages when using output caching

    When caching the output of controller actions using the ASP.NET output caching, the page builder did not load in the 'Pages' application for pages displayed through the cached actions. Instead, only a preview of the cached page was displayed. This problem occurred in special scenarios, for example, when caching based on specific parameters defined in the 'VaryByParam' property.

    12.0.82
  • Microsoft Azure - Node alias paths with non-ASCII characters caused errors in Azure

    On sites hosted in Azure or behind a reverse proxy server, an error occurred in the administration interface when viewing pages in Preview mode or the page builder for pages whose node alias path contained non-ASCII characters. The virtual context URLs used by these features had escaped characters when obtained from the remote server, resulting in a non-matching hash.

    12.0.82
  • Licensing - Web farm licensing issues when using domains with port numbers

    Domains containing a port number were not correctly registered as belonging to the domain for which a license was issued. This caused issues with the system's web farm functionality.

    12.0.81
  • E-mail engine - Cleaning of archived emails fails in certain scenarios

    Cleaning of archived emails could fail in cases where the scheduler was configured to run in request-based mode and the administration site did not receive regular traffic. This could lead to buildup of sent emails and cause intervals of heavy database load.

    12.0.81
  • WYSIWYG editor - Poster attribute of the video tag not handled correctly

    When editing page fields based on the 'Rich text editor' form control, the system incorrectly handled virtual URLs in the 'poster' attribute of 'video' tags (added through the editor's Source mode). After saving such a URL into the content, subsequent edits loaded a relative URL resolved according to the application path of the administration application. Re-saving the field could cause the poster URL to become invalid, for example if the live site was running with a different application path than the administration.

    12.0.80
  • Form builder - Form builder memory leak issues

    The visibility condition and validation rule components of the system's 'Form builder' feature contained a memory leak. Sites making heavy use of these components experienced severely heightened memory utilization, eventually resulting in an application crash.

    12.0.80
  • Page builder - Broken URLs in page builder content in special cases

    If content added through the page builder (for example using a text editor widget) included absolute URLs with a domain matching the current site's Presentation URL, the URLs became broken after resaving the content. The system resolved such URLs into internal virtual context URLs ('/cmsctx/...') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, such absolute URLs are modified to relative URLs after being saved, and the system correctly handles the virtual context URL conversions. The fix does not address any existing broken links - these need to be fixed and resaved manually.

    12.0.79
  • Form builder - Form widget 'id' attribute configuration support

    It was not possible to set a static 'id' attribute for the 'form' HTML element of forms placed using the system's default 'Form' widget. By default, the system always generated a random 'id' for each form to prevent multiple forms with identical identifiers from being placed on a single page. After applying the hotfix, you can suppress this behavior by setting the 'id' attribute via the 'FormWidgetRenderingConfiguration.FormHtmlAttributes' property. However, note that this sets the same 'id' attribute for ALL form widget instances. As a result, having more than one form per page is not supported under this configuration.

    12.0.79
  • E-commerce - PayPal payment error with long order notes

    Payments using the default PayPal provider resulted in a validation error if the order contained a note longer than 165 characters. After applying the hotfix, order notes that exceed this number of characters are trimmed before being sent to PayPal.

    12.0.78
  • E-commerce - Incorrect free shipping calculation

    Free shipping offers with a 'Minimum order amount' were incorrectly evaluated without subtracting any applied order discounts from the checked order price. Note that after applying the hotfix, orders will no longer qualify for free shipping if their price does not meet the minimum amount after subtracting an order discount.

    12.0.77
  • Pages - Path macros in page type URL patterns

    Certain scenarios did not work correctly if the 'URL pattern' of page types on MVC sites contained a page path macro that could resolve into a value with multiple URL segments, such as the 'NodeAliasPath' field. For example, detection of alternative URL conflicts did not work for the resulting pages. After applying the hotfix, the system handles such macros if they are the only value placed into the URL pattern.

    12.0.76
  • Pages - Language version comparison error for users with special characters in their name

    An error occurred in the language version comparison mode of the Pages application for users whose username contained certain special characters, such as a backslash (typically for users created via external authentication).

    12.0.76
  • Search - Smart search task generation for product page types

    The system generated individual smart search indexing tasks for each page associated with a given product (SKU object) every time the product was modified. This occurred even for pages not included under any smart search indexes. After applying the hotfix, the system generates a single smart search task per SKU modification that processes all pages related to the product.

    12.0.75
  • Pages - Special characters in usernames causing errors when viewing pages in the admin UI

    Users created via external authentication whose username contained certain special characters could encounter an error when viewing pages in the Pages application, for example in Preview mode or in the page builder edit mode on the 'Page' tab. After applying the hotfix, the virtual context URLs used to display such content store the GUID of the current user instead of the username.

    12.0.75
  • Form builder - Checkbox form component localization issues

    The 'Checkbox' form component's 'Text' property did not support localization macro expressions.

    12.0.74
  • Authentication - External authentication and sites running on non-standard ports

    The system did not generate a valid callback URL for external authentication providers if the site was running on a domain with a non-standard port number (different than 80 for HTTP, 443 for HTTPS). This resulted in an endless chain of redirects between the application and the authentication provider.

    12.0.74
  • Page builder - React-based click events not working in the properties dialog

    If a custom form component using the React JavaScript library was assigned to a property of a page builder component (widget, section, etc.), click events (onclick) did not work in the resulting properties dialog. After applying the hotfix, click events of React components are triggered correctly in page builder property configuration dialogs.

    12.0.73
  • Localization - Incorrect culture for registration emails on Portal Engine sites

    Registration emails sent when a new user registered on a Portal Engine site through the 'Registration form' or 'Custom registration form' web part did not have the correct culture in certain scenarios. Localization macros placed into registration email templates (e.g. 'Membership - Registration' or 'Membership - Registration confirmation') were resolved into a default culture (English) instead of the user's current content culture on the site.

    12.0.73
  • Files - Files not created correctly in mapped file system folders

    When a folder was mapped to another location using the file system provider API, moving or copying of files from the local file system into the mapped folder did not work correctly in certain scenarios. For example, if a media library folder was mapped to Azure Blob storage, the system did not create files when using the import feature to add media files into the given folder.

    12.0.73
  • API - Context API not working in async code

    Kentico API that relied on static contexts, such as 'SiteContext', 'ContactManagementContext', or 'CMSActionContext', did not work and returned empty values when called within custom asynchronous (async) methods. After applying the hotfix, the contexts correctly persist their values within async code.

    12.0.73
  • Staging - 'Break ACL inheritance' tasks not logged after incoming synchronization

    Staging tasks of the 'Break ACL inheritance' type were not logged correctly when the change was triggered by incoming synchronization from another server (typically in environments with 3 or more connected staging servers).

    12.0.72
  • Licensing - Licenses generated for domains shorter than four characters not working

    License keys containing domain names shorter than four characters were not recognized by the system.

    12.0.71
  • E-commerce - 'Shipping option selection' web part error after choosing '(Please select)'

    When utilizing the 'Shipping option selection' web part in the checkout process on a Portal Engine site, an error occurred if a customer selected a shipping option and then later switched back to the default '(Please select)' item. After applying the hotfix, the web part no longer displays the '(Please select)' item after selecting and saving a valid shipping option. The problem occurred after applying hotfix 12.0.35 or newer.

    12.0.71
  • E-mail engine - Cleaning of archived emails fails in certain scenarios

    If using a database server with relatively low-tier performance (for example an Azure SQL database with 400 DTUs) and sending extremely large numbers of emails, cleaning of archived emails could fail and potentially lead to buildup of sent emails, and even performance issues or crashes on the website. To fix the issue, either scale up the database, increase the database connection timeout, or lower the batch size for archived email deletion by adding the new 'CMSEmailDeleteBatchSize' key to the project's web.config file. The key's default value is 2000.

    12.0.70
  • Staging - Data of 'Department roles selector' page fields not synchronized correctly

    If a page type had a field based on the 'Department roles selector' form control, the field's data was not correctly synchronized through staging tasks when a page was created or updated.

    12.0.69
  • Page types - System page fields in code generated for inherited page types

    If a page type inherited a system 'Page field' from a parent page type (for example the 'DocumentShowInSiteMap' field), code generated for the page type incorrectly included a property representing the system field (such properties are redundant, as system fields are already available in the base 'TreeNode' class). After applying the hotfix, system fields are never included in classes generated for page types.

    12.0.69
  • MVC - 'Live site' button not working for site Presentation URLs with special characters

    The 'Live site' button in the application list did not work correctly if certain special characters were included in the 'Presentation URL' of an MVC site.

    12.0.68
  • E-commerce - Incorrect evaluation of Buy X Get Y discounts under heavy load

    On sites running under heavy load, evaluation of Buy X Get Y discounts could result in an error, leading to incorrect or inconsistent results. For example, such problems could occur after adding discount-related products to the shopping cart on a high-traffic website.

    12.0.68
  • E-commerce - Preview tab incorrectly displayed for products without a URL

    The 'Preview' tab in the 'Products' application on MVC sites was incorrectly displayed for products without an available live URL (for example products whose page type did not have a URL pattern configured). The problem occurred after applying hotfix 12.0.53 or newer.

    12.0.67
  • Users - User full name incorrectly updated in certain cases

    Updating system user objects via the MVC site (as part of account detail updates, password resets, and similar operations) automatically generated the user's 'FullName' property by concatenating the existing first and last name values. For example, this could override all customizations made to the user's full name on the side of the administration interface. After applying the hotfix, the full name is automatically generated upon user creation and only updated if the system detects that the original automatically generated full name is still being used.

    12.0.66
  • Form controls - Form field selector not working in the macro rule designer

    The 'Form field selector' form control did not work when creating conditions in the macro rule designer. For example, it was not possible to select a field when configuring the parameter of the "Contact has filled in form field" macro rule.

    12.0.66
  • E-mail engine - Priority headers incorrectly set for certain outgoing emails

    Certain emails that were sent directly without going through the email queue incorrectly had their priority (importance) headers set by the system. For example, marketing email drafts were always sent out with low priority. After applying the hotfix, the priority is not set for any outgoing emails.

    12.0.66
  • Search - Unpublished pages could cause incomplete search indexing

    When creating or rebuilding smart search indexes of the 'Pages' type (local or Azure), not all pages were correctly included in the index if a processed batch of records contained only pages that were not published on the live site. For example, the problem could occur on sites with large sections of archived pages, containing more items than the 'Batch size' set for indexes.

    12.0.65
  • Web farms - Web farm task maintenance timeout errors in certain scenarios

    If using a database server with relatively low-tier performance (for example an Azure SQL database with under 50 DTUs), timeout errors could occur when the system performed cleanup of web farm tasks, typically when the instance contained large synchronization tasks with binary data. This resulted in event log errors and potentially a buildup of web farm tasks in the database. To fix the issue, either increase the connection timeout for the database or lower the batch size for task deletion by adding the new 'CMSWebFarmTaskDeleteBatchSize' key to the project's web.config file. The key's default value is 500.

    12.0.64
  • UI personalization - UI personalization preventing "unsaved changes" warnings for Pages

    Notifications about unsaved changes did not work in the Pages application for users who had the 'Properties' tab hidden by the UI personalization feature.

    12.0.63
  • Facebook integration - Facebook authentication caused non-unique email address values

    Facebook authentication on Portal Engine sites did not respect the 'Require unique user emails' setting and could create user accounts with the same email address as an existing user in the system. After applying the hotfix, such conflicts result in the creation of a Kentico user account with an empty email address.

    12.0.63
  • Localization - Incorrect localization of form properties on MVC sites

    Localizing a form's 'After the form is submitted' or 'Submit button' text using resource strings (on the 'General' tab of the form's editing interface) did not work correctly for forms displayed on MVC sites using the 'Form' widget. The live site always displayed the English version of the text instead of using the current page's culture.

    12.0.62
  • Translation services - Error when translating linked pages together with the original

    An error occurred when creating a translation submission that contained a linked page together with the link's original page. After applying the hotfix, translation submissions filter out link duplicates and only include the original page.

    12.0.61
  • Page builder - URL fragment lost for links stored in component properties

    URL values stored in the properties of page builder widgets, sections or templates (either through the property configuration dialog or an inline editor) lost their '#' fragment component after resaving the page multiple times. This could result in broken anchor links.

    12.0.61
  • A/B testing - Page visit conversions not logged correctly for tests on MVC sites

    Page visit conversions for A/B tests on MVC sites were not logged correctly for sites running on a URL without a virtual directory (i.e. hosted directly in the root of an IIS website).

    12.0.61
  • Workflow - Selection of roles from multiple sites not working in step security

    Selection of roles from multiple different sites did not work correctly on the 'Security' tab of workflow or marketing automation steps. Selecting roles for one site incorrectly cleared the role selection made for other sites. After applying the hotfix, the site selector no longer appears above the role listing on the Security tab, but instead is part of the role selection dialog.

    12.0.60
  • MVC - Broken relative links in bundled CSS code when previewing pages

    If a project used bundling for CSS files and was compiled with a 'Release' configuration (i.e. the <compilation> element's 'debug' attribute set to 'false' in the web.config file), links to assets in the CSS code (fonts, images, etc.) with a relative URL became broken when viewing pages in preview mode or the page builder interface.

    12.0.60
  • Page builder - Unable to add new lines to text area properties in Firefox

    If a page builder component's property (for example a widget property) used the 'Text area' editing form component, pressing the Enter key to add new lines within the resulting property configuration dialog did not work in the Firefox browser. The problem also affected any custom form components containing a 'textarea' tag.

    12.0.59
  • Staging - Deleting of alternative page URLs not synchronized

    Staging tasks generated after deleting all alternative URLs from a page on an MVC site did not work correctly (only if there were no remaining alternative URLs after the deletion). In these cases, the alternative URLs remained on target servers after synchronizing the corresponding 'Update page' staging task.

    12.0.58
  • Page builder - Improved error logging for page builder form components

    The system did not provide sufficient information for developers about errors originating from MVC form components when displayed as part of the widget properties dialog. After applying the hotfix, such errors are logged with full exception details into the system's event log.

    12.0.58
  • Web parts - Missing username validation in the 'Custom registration form' web part

    The 'Custom registration form' web part did not validate the entered username value. If the specified username contained an invalid character, such as an apostrophe, an error occurred on the website.

    12.0.57
  • Continuous integration - SQL error after adding a page type field

    If a website contained a very large number of pages (tens of thousands) of a certain page type, adding a new field to the page type with continuous integration enabled resulted in an SQL query that was too complex and an error occurred. After applying the hotfix, the system generates less complex queries for such scenarios, which minimizes the chance of SQL errors.

    12.0.57
  • E-commerce - Error when adding a new product culture version in the Products application

    When managing products in the 'Products' application on a Portal Engine site, switching the language selector to create a new culture version of a product caused an error. The error only occurred after applying hotfix 12.0.53 or newer.

    12.0.56
  • Users - Redundant database calls when updating or resetting user passwords on MVC sites

    Updating or resetting user passwords on MVC sites (using Kentico's ASP.NET Identity integration) resulted in redundant database updates of the affected user object. Applying the hotfix reduces such updates, lowering the likelihood of potential database deadlocks occurring in this scenario.

    12.0.55
  • Social media - LinkedIn company profile management not working

    Due to changes in the LinkedIn integration API, the LinkedIn company profile management functionality in Kentico did not work. After applying the hotfix, you additionally need to obtain the 'rw_organization_admin', 'r_organization_social' and 'w_organization_social' permissions for your LinkedIn app, which requires you to apply and be approved as a LinkedIn Partner. You also need to 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.

    12.0.55
  • Form components - 'File uploader' form component error with the integration bus enabled

    An error occurred when submitting an MVC form containing the 'File uploader' form component if outgoing synchronization using the integration bus was enabled.

    12.0.55
  • E-commerce - Products incorrectly disabled after deleting one culture version

    For products that were used within an existing order, deleting one culture version of the product page incorrectly disabled the 'Allow for sale' property of the given product (SKU), even if there were other culture versions. After applying the hotfix, products are disabled only if no remaining culture versions exist.

    12.0.55
  • URL rewriting & SEO - Home page URL wildcard values lost after domain root redirects

    If a site's 'Default page' setting was configured to the 'Use domain root' option, the redirect to the root did not preserve the values of any wildcard parameters contained in the home page's URL. After applying the hotfix, the domain root redirect URL includes wildcard parameters in the query string.

    12.0.54
  • Page builder - Error on page builder pages with components using ECMAScript 5 features

    If a page builder component (such as a widget) included scripts that used certain ECMAScript 5 features, an exception could occur in some scenarios when loading page builder scripts on pages containing the component. For example, the error could be encountered after installing the Kentico 'Rich text' inline editor widget. After applying the hotfix, the system no longer provides minification of page builder component scripts by default (we recommend adding custom minification of scripts in your project).

    12.0.54
  • Staging - Permission requirements to view failed staging task details

    If a user only had permissions to manage certain types of staging tasks (page, object, data), without the 'Manage all tasks' permission for the Staging module, they could not view the details of a failed task on the corresponding tab in the 'Staging' application.

    12.0.53
  • Reporting - Error when using reporting components on custom pages

    If reporting components (such as the 'DisplayReport.ascx' control) were used within custom pages, an error could occur while loading reports in certain scenarios and life cycle configurations. The errors occurred after applying hotfix 12.0.14 or newer.

    12.0.53
  • E-commerce - Preview not working in the Products application

    The 'Preview' tab for products in the 'Products' application did not work on MVC sites due to incorrectly set Content Security Policy headers. The problem occurred only after applying hotfix 12.0.29 (Service Pack) or newer.

    12.0.53
  • Authentication - Editor cookies not set correctly in certain authentication scenarios

    If the 'Default cookie level' setting was lower than 'Editor', the system did not correctly set certain editor cookies for administration interface users who did not pass through the default sign-in page (for example when signing in via external claims-based authentication, Windows authentication, or directly on the live site and then accessing an administration URL). The missing cookies prevented parts of the administration interface from working correctly, such as the marketing automation and advanced workflow designer.

    12.0.53
  • MVC - Improved error logging for page builder components

    The system did not provide sufficient information for developers about certain types of errors originating from MVC page builder components (widgets, sections, inline property editors, etc.). For example, no details were available for errors resulting from the Razor view code of components. After applying the hotfix, such errors are logged with full exception details into the system's event log.

    12.0.52
  • Integration bus - Error when viewing details of failed integration bus tasks

    It was not possible to view the details of failed incoming or outgoing integration bus tasks in the 'Integration bus' application. Attempts resulted in a JavaScript error being logged in the browser console.

    12.0.52
  • Facebook integration - Facebook Insights reporting

    Due to breaking changes in Facebook's API, the Facebook Insights reporting feature in Kentico (accessible via the 'Insights' tab when editing a page in the 'Facebook' Kentico application) displayed incorrect data. Moreover, as a result of these changes, 'Page fans' Insights reports no longer chart cumulative growth, but instead report daily fluctuations.

    12.0.52
  • A/B testing - Unable to view A/B test details from the Pages application in certain cases

    It was not possible to view A/B test details from the 'Pages' application in published projects (using the 'Manage A/B test' button).

    12.0.52
  • Transformations - 'IsLast' transformation method not working correctly for paged data

    The 'IsLast' transformation method did not return correct values in scenarios where the data used pagination. For example, the method did not return a 'true' value when the transformation was applied to the last item displayed by the 'Repeater' web part with paging enabled.

    12.0.51
  • Sites - Incorrect current site selection if multiple MVC sites had the same base domain

    If an instance had multiple MVC sites and their presentation URLs contained the same base domain (for example with differences in the application path, e.g. 'domain.com' and 'domain.com/appPath'), the system in certain cases incorrectly used the site running on the less specific base domain as the current site. This affected both default functionality, and the result of 'SiteContext.CurrentSite' API calls in custom code. The problem occurred only after applying hotfix 12.0.41 or newer.

    12.0.51
  • Attachments - Incorrect permission check when uploading attachments for new pages

    Permissions for uploading page attachments were evaluated incorrectly if the 'Insert link' or 'Insert image or media' dialog was used to upload attachments while creating a new page (before the page was saved for the first time).

    12.0.51
  • URL rewriting & SEO - Domain redirection issues

    In certain cases, the system redirected requests to an incorrect domain URL. For example, if a site used HTTPS URLs, enforcement of separate domains for cultures, and had a domain alias with a specified 'Visitor culture', the wrong language version was displayed when a page was accessed under the culture-specific domain. The problems occurred only after applying hotfix 12.0.35 or newer.

    12.0.49
  • Campaigns - Incorrect contact demographics reports for certain campaign conversions

    If a conversion was set for a campaign with the "any" option selected in the configuration (for example a 'Subscription to a newsletter' conversion for 'Any' newsletter), the contact demographics detailed report for the given conversion displayed empty data.

    12.0.49
  • API - Incorrect 'CultureSiteInfoProvider.IsSiteMultilingual' result for first call

    When the 'CultureSiteInfoProvider.IsSiteMultilingual' API method was called for the first time for a site, it always returned a false result (subsequent calls worked correctly).

    12.0.49
  • URL rewriting & SEO - Domain alias redirection not working for URLs with the https scheme

    If a Portal Engine site had a domain alias with a 'Redirect URL' value containing the '{%protocol%}' macro, the redirection did not work correctly for URLs using the 'https' scheme.

    12.0.48
  • MVC - Added expiration for internal page builder and preview URLs

    The administration interface URLs internally used in the Pages application for the preview and page builder editing mode of pages on MVC sites incorrectly had unlimited validity. After applying the hotfix, these URLs contain a timestamp parameter and expire after 8 hours by default. The expiration time can be adjusted by setting the 'CMSPreviewLinkExpiration' key to a specific number of minutes in the web.config file of the Kentico administration application.

    12.0.47
  • MVC - Navigating to other pages through links on pages viewed through a preview URL

    When viewing pages on MVC sites through a preview URL (generated in the Pages application on the 'Properties -> General' tab), links to other pages incorrectly preserved the preview mode and the generated user context. After applying the hotfix, the 'href' attributes of such links no longer contain preview URLs and the links instead open the live site version of the targeted page.

    12.0.47
  • General - Kentico.Libraries NuGet package containing unnecessary DLLs

    The 'Kentico.Libraries' NuGet package contained unnecessary libraries (CMS.Synchronization.WSE3.dll, Microsoft.Web.Services3.dll and DotNetOpenAuth.dll). The libraries are no longer present after updating the package to version 12.0.46 or newer.

    12.0.46
  • WYSIWYG editor - Links from one site to another Portal Engine site generated incorrectly

    Links created using the editor were generated incorrectly if the link target was a page on a different Portal Engine site. The problem occurred only after applying hotfix 12.0.41 or newer.

    12.0.45
  • WYSIWYG editor - Fragment component lost when editing links in the editor

    If a link was created in page content using the editor and a '#' fragment component (e.g. anchor link) was manually added and saved to the URL, the fragment component was ignored when opening the link dialog again and lost upon subsequent save.

    12.0.45
  • Search - Search settings not reflected for certain page fields

    The system ignored search settings for page fields storing the content of widgets and editable regions ('DocumentContent' and 'DocumentWebParts'), which can be customized in the 'Modules' application -> 'E-commerce' -> 'Classes' tab -> 'SKU' -> 'Search' tab.

    12.0.45
  • Form components - 'U.S. phone number' form component console errors

    The 'U.S. phone number' form component did not correctly format United States phone numbers and logged errors into the browser console when rendered as part of a form.

    12.0.45
  • Users - Newsletter subscription information not updated in the 'Users' application

    The newsletter subscriptions listed in the 'Users' application on the 'Subscriptions' tab of a selected user were not correctly updated after the user unsubscribed from a newsletter.

    12.0.44
  • Page builder - Users with limited permissions unable to create pages in certain cases

    Users with limited permissions were not able to create MVC pages with page builder support (i.e. page types with the 'Use Page tab' option enabled) in certain scenarios. An "Access is denied" error occurred if the user had sufficient permissions only for the content tree sub-section where the page was being created, but not for all parent pages.

    12.0.44
  • General - APPSTART events logged for MVC websites disabled by an 'App_Offline.htm' file

    If an MVC website was disabled by adding an 'App_Offline.htm' file to the project root, every request unnecessarily triggered initialization of the Kentico application (leading to redundant 'APPSTART' events in the system event log).

    12.0.44
  • Dialogs - Performance issues in page selector dialogs

    The system processed page URLs inefficiently when listing items in page selector dialogs (e.g., when copying, moving or linking pages), which could lead to performance issues. For example, such issues could occur on MVC sites if the pages listed in the dialog had URL patterns containing resource-intensive macros.

    12.0.44
  • URL rewriting & SEO - 'RequestContext.IsSSL' property not working correctly

    Scenarios where a custom event handler was used to set the 'RequestContext.IsSSL' property did not work correctly (for example when handling HTTPS requests in environments with a reverse proxy server and TLS/SSL acceleration). The problem occurred only after applying hotfix 12.0.35 or newer.

    12.0.43
  • Search - 'Optimize local search indexes' scheduled task not working

    The 'Optimize local search indexes' scheduled task did not work.

    12.0.43
  • Page builder - Certain relative URLs not resolved correctly in the page builder

    If the value of an MVC widget property contained URLs in virtual relative format, and the property was edited and displayed using an inline editor, the URLs were not resolved correctly within the page builder interface (on the 'Page' tab of the Pages application). URLs within content on the live site were not affected and remained functional.

    12.0.43
  • Widgets - Form submit error when rendering the 'Form' widget within a custom widget

    If the default 'Form' widget was "nested" within a custom MVC widget (displayed using the 'RenderAction' HtmlHelper method), a 404 error occurred when submitting the resulting form. The problem occurred only after applying hotfix 12.0.30 or newer.

    12.0.42
  • User interface - Hash validation errors in the administration interface

    Errors or "access denied" messages could occur in certain parts of the administration interface due to incorrect hash validation. For example, when attempting to edit a transformation or query from the web part properties dialog. The problem occurred only after applying hotfix 12.0.40 or newer.

    12.0.42
  • Macros - Error when re-signing macros

    Re-signing macros in 'System -> Macros -> Signatures' resulted in an error on instances installed as 'web site' projects and on precompiled deployments. The error occurred only after applying hotfix 12.0.37 or newer.

    12.0.42
  • E-commerce - Incorrect tax exemptions for customers with a tax registration ID

    On instances with hotfix 12.0.12 or newer applied, customers with a filled in 'Tax registration ID' value were incorrectly exempt from tax for products with a tax class that had the 'Zero tax if tax ID is supplied' property disabled. Note that applying this hotfix corrects the default tax exemption, but also reverses the changes from 12.0.12 - custom tax exemptions added using an 'ICustomerTaxClassService' implementation apply only for products under a tax class with the 'Zero tax if tax ID is supplied' property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.

    12.0.42
  • WYSIWYG editor - Incorrect editing of links to content-only pages on different sites

    Editing a link to a content-only page from a different site using the WYSIWYG editor's 'Insert link' dialog incorrectly opened the 'Web' tab and displayed an external web link. After applying the hotfix, such links are correctly edited on the 'Content' tab.

    12.0.41
  • Web parts - Collapsible panel not displaying the expand/collapse image

    The 'Collapsible panel' layout web part and widget did not display the image specified through the 'Collapsed image' and 'Expanded image' properties.

    12.0.41
  • Users - Cloning of users only allowed for global administrators

    The 'Users' application incorrectly allowed only users with the 'Global administrator' privilege level to clone users (as well as perform 'Other actions', such as exporting users). After applying the hotfix, the actions are available for all users with sufficient permissions or at least the 'Administrator' privilege level.

    12.0.41
  • Page builder - Mouse button actions incorrectly propagated in modal dialogs

    Certain mouse button actions that occurred within modal dialogs in the page builder interface could incorrectly affect the interface outside of the dialog. Specifically, the 'mouseup' and 'mousedown' mouse button events were propagated to the dialog's parent elements.

    12.0.41
  • MVC - Anchor links not handled correctly in preview mode and page builder

    Links to URLs containing a '#' fragment component (e.g. anchor links) were not handled correctly in preview mode and the page builder interface. Upon clicking, such links lead to invalid URLs, resulting in the 404 error.

    12.0.40
  • Media library - File renaming not synchronized to other web farm servers

    When a file in a media library was renamed on instances running in a web farm environment, the system did not log synchronization tasks, so the file rename did not occur on other servers. The problem impacted media libraries on MVC sites, which utilize a web farm to synchronize changes to the file system of the MVC live site application.

    12.0.40
  • Hotfix - Error when hotfixing databases with a different schema than 'dbo'

    Applying the hotfix database scripts resulted in an error if the target database used a different schema than 'dbo' (the default schema for Kentico databases). The error occurs for hotfixes 12.0.29 (Kentico 12 Service Pack) up to 12.0.39, and is resolved in newer versions.

    12.0.40
  • URL rewriting & SEO - Unmapped domain alias redirection causing an uncaptured error

    If an external redirect was configured for the Kentico application (e.g., via IIS or the 'hosts' file) and the 'Force domain culture' setting was enabled, but the destination domain was not configured for the target site on the 'Domain aliases' tab in the 'Sites' application, attempting to access the site resulted in an uncaptured .NET error message being displayed to the visitor instead of the system error page.

    12.0.39
  • Form components - Files could not be deleted from 'File uploader' form fields

    After uploading a file into an MVC form field using the 'File uploader' form component, attempts to delete the file before submitting the form failed and resulted in an error.

    12.0.39
  • Form builder - Form builder not working when enforcing global authorization

    Globally enforcing authorization over the entire MVC front-end (using the 'Authorize' attribute) resulted in errors when accessing the 'Form builder' tab of the 'Forms' application in the administration interface.

    12.0.39
  • Authentication - Query string parameters lost during claims-based (WIF) authentication

    On Portal Engine sites using claims-based (WIF) authentication, URL query string parameters were lost when a user accessed a secured page, was redirected to sign in via the external identity provider, and then returned after successful authentication. After applying the hotfix, handlers of the 'SecurityEvents.AuthenticationRequested' global event include the full query string within the event arguments that provide the redirection URL.

    12.0.39
  • Users - Account lock notification emails not sent with site prefixes for user names

    If the 'Use site prefix for user names' setting was enabled, the system did not send notification emails to users whose account was locked due to password expiration or reaching the limit of invalid sign-in attempts. As a result, users could not access the password change or account unlock link in the email.

    12.0.38
  • On-line forms - Error on the Code tab for MVC forms with a 'File uploader' field

    If a form on an MVC site contained a field using the 'File uploader' form component, an error occurred on the form's 'Code' tab in the 'Forms' application. It was not possible to generate item and provider code for the given form.

    12.0.38
  • Macros - Object collection manipulation methods not working correctly when combined

    Macro expressions where multiple chained methods modified the data of an object collection did not work correctly in certain cases. For example, if a collection was first modified by the 'Filter' method and then the 'OrderBy' method was added, the original filtering was not applied to the resulting data.

    12.0.38
  • Licensing - Licensing error on MVC page builder pages for editions lower than EMS

    For instances with the Kentico 12 Service Pack applied (hotfix 12.0.29 or newer), a licensing error occurred on pages created using the MVC page builder if the site's license edition was lower than EMS.

    12.0.38
  • Form controls - 'Form field selector' form control not working correctly

    The 'Form field selector' form control did not work correctly. The control always saved the first field of the chosen form, regardless of the actual field selection in the second drop-down list.

    12.0.38
  • API - Kentico automated test API not compatible with NUnit 3.10 or newer

    When using the 'Kentico.Libraries.Tests' NuGet package to create automated tests, an error occurred when running tests if the 'NUnit' dependency package was manually updated to version 3.10 or newer. After applying the hotfix and updating the 'Kentico.Libraries.Tests' package to 12.0.38 or newer, tests are compatible with newer versions of the 'NUnit' package.

    12.0.38
  • Staging - Failed staging tasks incorrectly deleted in multi-server scenarios

    On instances with multiple target staging servers, synchronization tasks were incorrectly deleted in certain scenarios. When synchronizing tasks to all servers (with the '(all)' option selected in the server selector), tasks were fully deleted for all servers even if the synchronization was only successful for one of the servers.

    12.0.37
  • On-line forms - Validation error messages not displayed after form refresh

    Forms created using the MVC form builder did not display validation error messages correctly in certain scenarios. If a form was submitted and validation error messages were displayed, these messages disappeared when the form was refreshed (for example after further input triggered re-evaluation of a field's visibility condition).

    12.0.37
  • On-line forms - Uploaded files not included in email notifications for MVC forms

    Form fields using the 'File uploader' form component on MVC sites worked incorrectly with form notification emails. Such fields did not display the name of the uploaded file in the email content and the submitted files were not included as email attachments.

    12.0.37
  • Licensing - Licensing errors when re-signing macros

    Re-signing macros in 'System -> Macros -> Signatures' could lead to licensing errors in the event log and invalid macros (for macro expressions related to features for which the instance's current license edition was insufficient).

    12.0.37
  • Web parts - Layout web parts uneditable when located in hidden web part zones

    Layout web parts located in a hidden web part zone were completely invisible in the editing interface. The editing handle of such web parts was hidden, and it was not possible to edit them.

    12.0.36
  • Modules - 'Parent object type' incorrectly configured for the 'Edit role' UI element

    The 'Parent object type' property of the 'Roles' application's 'Edit role' UI element was incorrectly set to 'A/B test (om.abtest).' This could have caused errors when adding child UI elements to the 'Edit role' element. Applying the hotfix sets the 'Parent object type' property to '(automatic).' Note that this will also overwrite any customizations made to the 'Edit role' element in your project.

    12.0.36
  • Dialogs - Unable to upload new media files using the Media files selector JavaScript API

    It was not possible to select or drag and drop media files from the file system after opening the media files selector modal dialog. The problem occurred when the 'allowedExtensions' property was not specified in the 'options' parameter object of the 'modalDialog.mediaFilesSelector.open(options)' function.

    12.0.36
  • Web farms - Accumulation of redundant records in the 'CMS_WebFarmTask' table

    In special cases, the system accumulated redundant records by repeatedly failing to delete the records from the 'CMS_WebFarmTask' database table.

    12.0.35
  • MVC - 'Kentico.AspNet.Mvc' NuGet package incorrectly modifying the web.config file

    Installing or updating the 'Kentico.AspNet.Mvc' NuGet package added an empty 'CMSConnectionString' <add> element to the 'connectionStrings' section in the web.config file, if it was not already present. This could cause errors in certain scenarios, for example when using an external connection string file specified via the 'configSource' attribute. The same problem could occur also for the 'appSettings' section with specified 'configSource', where the NuGet installation was adding the 'CMSHashStringSalt' app setting. Versions 12.0.35 and newer of the package no longer add the empty 'CMSConnectionString' and 'CMSHashStringSalt' elements when the 'configSource' attribute is present in their parent section. In case of external config sources, developers need to manually specify the 'CMSConnectionString' connection string and the 'CMSHashStringSalt' app setting in the external config files.

    12.0.35
  • General - Running Kentico Portal Engine applications behind a proxy server causing errors

    When the Kentico application was running behind a proxy server or some other service that masks the application's original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the 'CMSUrlHost' web.config key (added by the hotfix) to the 'host' component of the proxy server's URL to ensure the application correctly generates request URLs. Please note that this configuration currently applies only for Portal Engine projects. See the hotfix instructions for more information.

    12.0.35
  • E-commerce - 'Customer detail' web part incorrectly validating email addresses

    The 'Customer detail' web part did not validate the uniqueness of entered email addresses for signed-in users. If the entered email address was already registered in the system (e.g., by another user), this could have resulted in two users with identical addresses (due to the way the system merged the submitted information with the internal user object).

    12.0.35
  • E-commerce - Shipping option incorrectly evaluated for certain orders

    In certain cases, when utilizing the web part-based checkout process on Portal Engine sites, a previously selected shipping option incorrectly persisted over multiple orders, even though the orders did not contain any shippable items. Furthermore, when using custom shipping carrier providers, removing all shippable items from an order after a shipping option has been selected resulted in an error in certain cases.

    12.0.35
  • Users - New Kentico.Membership.User extensibility support

    Kentico's ASP.NET Identity integration for MVC projects was tightly coupled with the default 'Kentico.Membership.User' class. Any changes to the 'User' class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the 'KenticoUserManager', 'KenticoUserStore', and 'KenticoSignInManager' types, which allow developers to seamlessly integrate custom user types derived from the default 'Kentico.Membership.User' class. See the hotfix instructions for more details.

    12.0.34
  • Form controls - Incorrect validation of the Image and Media selection form controls

    When using the 'Image selection' and 'Media selection' form controls for the fields of pages under workflow, validation of the fields was executed incorrectly in certain cases. For example, if the field was set as required after an existing page was already published, the validation prevented users from subsequently creating a new version of the page.

    12.0.34
  • Hotfix - New web projects not working after hotfixing the setup files

    After applying hotfix 12.0.29 or newer to the Kentico setup files, new web projects created using the hotfixed installer did not run or compile correctly (due to missing updates of the NuGet package 'packages.zip' archive). To fix the problem, you need to apply hotfix 12.0.33 or newer to the setup files.

    12.0.33
  • General - Publishing the administration project with precompilation fails

    It was not possible to precompile and publish (e.g., via the Visual Studio 'Publish' wizard) the Kentico project hotfixed to version 12.0.29 or higher due to incorrect file references. Applying the hotfix ensures no incorrect references exist in the project's .csproj file, allowing the publishing process to proceed without problems.

    12.0.33
  • A/B testing - Context menu for adding pages incorrectly offered an A/B variant option

    The 'New...' context menu in the Pages application incorrectly offered the option to create new pages as A/B test variants on MVC (content-only) sites. This option was not relevant, as the A/B testing feature on MVC sites does not use separate pages for variants.

    12.0.33
  • Portal Engine - User widgets not saved on the live site

    When a registered user tried adding or configuring widgets on the Portal Engine live site, changes made inside the 'User personalization' widget zones were not saved. You could experience this issue if you installed the hotfix version 12.0.30 or 12.0.31.

    12.0.32
  • Form engine - Fields in on-line forms losing focus

    Forms that contained fields with conditions whose evaluation required a server postback (e.g., fields with 'Has depending fields' enabled) lost focus on the currently selected field after the form was reloaded. After applying the hotfix, field selection persists through postbacks.

    12.0.32
  • Campaigns - Page visits not logged on campaigns when using the cookie consent web part

    When a visitor arrived at a campaign's landing page via a link containing UTM parameters and accepted cookies via the 'Cookie law and tracking consent' web part, the visitor's cookie level and UTM parameters were not evaluated correctly. As a result, a page visit activity was not logged for the campaign's landing page.

    12.0.32
  • Search - Field search not possible in smart search indexes when using 'SearchParameters.PrepareForPages'

    The 'SearchParameters.PrepareForPages' method created a 'SearchParameters' object that forced a specific level of supported smart search syntax for search queries. This interfered with the smart search functionality, for example not allowing exact field searching to be performed (i.e., the syntax 'field:"searchquery"' was incorrectly processed). The hotfix introduces overloads for the 'SearchParameters.PrepareForPages' method that allow users to configure the levels of supported syntax per search request when creating the 'SearchParameters' object. See the hotfix instructions for details.

    12.0.32
  • A/B testing - Page variants modifiable for running MVC A/B tests

    It was incorrectly possible to add and delete page variants of running MVC A/B tests. Deleting page variants mid testing could lead to loss of data and result in skewed test results.

    12.0.31
  • Workflow - Unable to restore pages under certain types of workflow from the recycle bin

    An error occurred when trying to restore pages under certain types of advanced workflow from the recycle bin (if the workflow utilized wait steps or step timeouts). If the issue persists for pages created before the hotfix was applied, you need to manually delete scheduled tasks related to the given workflows in the 'Scheduled tasks' application on the 'System tasks' tab before restoring the pages.

    12.0.30
  • REST - Error when setting GUID values using JSON data

    An error occurred when using the REST service to set the value of a column with the GUID data type if the request data was in the JSON format.

    12.0.30
  • Portal Engine - Widgets not saved after opening the live site in another browser tab

    When adding or configuring editor widgets in the Pages application on Portal Engine sites, changes made in the widget properties dialog were not saved in scenarios where the user opened the live site in another browser tab.

    12.0.30
  • Page builder - Live site page builder error for applications without a default route

    Pages created using the MVC page builder (i.e. containing sections and widgets) displayed an error on the live site if the MVC application's route collection did not contain a general default route with a controller and action parameter. The problem occurred after applying hotfix 12.0.29 (Service Pack).

    12.0.30
  • MVC - CORS policy error when creating new pages

    When running an MVC site and the Kentico administration application on different domains, an error could occur when creating new pages of a content-only page type with the 'Show Page tab' setting enabled. The error was encountered if the 'UseResourceSharingWithAdministration()' feature was not enabled for the MVC application, and only after applying hotfix 12.0.29 (Service Pack). With hotfix 12.0.30 or newer, the cross-origin resource sharing feature is automatically enabled for all MVC projects.

    12.0.30
  • Kentico 12 Service Pack

    Hotfix 12.0.29 is the Kentico 12 Service Pack, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Service Pack release notes linked at the top of this section.

    12.0.29
  • Media library - Incorrect media file size

    The system incorrectly retrieved and displayed the file size value as 0B for very large media library files (for example in the 'Media libraries' application and media selection dialogs).

    12.0.28
  • Attachments - Incorrect caching of attachment permissions

    If checking of page permissions was enabled for attachment files ('System -> Files -> Check files permission' setting), the result of the permission evaluation was cached incorrectly. This could cause users to incorrectly be allowed (or unable) to access attachments based on the cached result.

    12.0.28
  • On-line marketing - Page activities logged in the administration interface for MVC sites

    On sites built using the MVC development model, 'Page visit' and 'Landing page' activities were incorrectly logged when viewing pages in the 'Pages' application of the administration interface. After applying the hotfix, page related activities are only logged on the live site.

    12.0.27
  • Email marketing - Sending of emails blocked after deleting and later restoring a widget

    If an email widget used in a marketing email was deleted, the email was then modified and saved, and the widget was later restored, it was not possible to send out the marketing email (the system did not detect the restoration of the widget and update the email to a sendable state).

    12.0.27
  • Page builder - Broken relative URLs in page builder content

    If content added through the page builder (for example using a custom text editor widget) included URLs in virtual relative format, the URLs became broken after resaving the content on the 'Page' tab in the 'Pages' application. Relative URLs ('~/<resource path>') are resolved into virtual context URLs ('/cmsctx/.../<resource path>') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, virtual context URLs are reversed back into relative URLs before being saved. The fix does not address any existing broken links - these need to be fixed and resaved manually.

    12.0.26
  • MVC - Page links incorrectly created with absolute URLs in rich text fields

    The 'Insert link' dialog, available in the editor for rich text fields on the 'Content' tab of content-only pages, incorrectly created page links with absolute URLs, including the site's scheme, domain and application path (i.e. the site's 'Presentation URL'). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs ('~/<link path>'). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). See the hotfix instructions for more information.

    12.0.26
  • MVC - 'EditingComponent' attribute triggering redundant validation

    Properties of page and form builder components annotated with the 'EditingComponent' attribute were incorrectly validated against the database column size constraints specified in the constructor of the corresponding editing component's properties class. After applying the hotfix, the database column size constraint validation is performed only when submitting values via a form composed using the 'Form builder.'

    12.0.26
  • Import/Export - Forced smart search index rebuild when importing site objects

    When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new 'Rebuild site search indexes' setting in the 'Objects selection' step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.

    12.0.26
  • Reporting - No data in report subscription emails for reports with parameters

    If a user subscribed to an entire report that had parameters and a filter, the resulting report status emails did not contain any data.

    12.0.25
  • Page builder - Checkbox component not working in personalization configuration dialogs

    If the default 'Checkbox' component was assigned to a property of a personalization condition type (using the 'EditingComponent' attribute), the checkbox did not work correctly in the resulting configuration dialog when the condition type was selected while personalizing a page builder widget.

    12.0.25
  • Email marketing - 'IsInPersona' macro for contact group recipients of email campaigns

    When a marketing email in an email feed of the 'Email campaign' type contained the 'IsInPersona' macro and was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group. The previously released 12.0.23 hotfix fixed the same issue, but only for email feeds of the 'Newsletter' type.

    12.0.25
  • Email marketing - Context specific macros not displayed in the plain text email editor

    The 'Insert macro' dialog within the plain text editing interface for marketing emails did not offer context specific objects (for example 'Recipient' or 'Email'). The problem occurred only after applying hotfix 12.0.17 or newer.

    12.0.25
  • Web parts - Custom filters not working on precompiled sites

    Custom filters created for the 'Filter' web part were not loaded correctly on precompiled sites.

    12.0.24
  • Page builder - Protocol-relative links broken in the page builder interface

    If a script or other resource was linked in the markup of an MVC page using a protocol-relative URL, the link URL was incorrectly modified and became broken when the page was viewed in preview mode or the page builder interface within the Pages application.

    12.0.24
  • Form controls - Enabled condition not working for the 'HTML5 input' form control

    If a form field used the 'HTML5 input' form control, the 'Enabled condition' advanced field setting did not work. Such fields were always enabled even if the specified condition was not fulfilled.

    12.0.24
  • Staging - X.509 certificate authentication not working for Azure App Service instances

    Staging service authentication using X.509 certificates did not work on instances hosted as an Azure App Service (the system worked with a different certificate store location than the one used by certificates imported into Azure).

    12.0.23
  • Email marketing - 'IsInPersona' macro evaluating incorrectly for contact group recipients

    When a marketing email containing the 'IsInPersona' macro was sent to a contact group, the macro always returned a 'True' value for all contacts in the contact group.

    12.0.23
  • E-commerce - Authorize.Net payments failed in certain cases

    Payments using the default Authorize.Net provider could fail due to an exceeded maximum length of requests generated by the system (in cases where the payment data contained long parameters, such as the names of shipping options, etc.). Additionally, the system did not resolve localization expressions in the parameters of the sent payment data.

    12.0.23
  • Controls - SelectPath control not working with the 'EnableSiteSelection' attribute

    The '~/CMSModules/Content/FormControls/Documents/SelectPath.ascx' control's selection dialog did not work if the control was placed into the markup of a web form or user control and its 'EnableSiteSelection' property was set as an attribute.

    12.0.23
  • Media library - Unable to select certain folders from Azure storage media libraries

    When the 'URL selector' form control was configured to display the Media tab and a media library 'Starting path' was also specified, it was not possible to select media files from subfolders if the given library was mapped to Azure storage.

    12.0.22
  • E-commerce - Shipping or billing address changes not saved during checkout

    If a customer set both the shipping and billing address during checkout on a Portal Engine site (via a page containing the 'Customer detail' and 'Customer address' web parts), and then later returned to the given checkout step to update one of the addresses, the changes were not saved.

    12.0.22
  • Authentication - Password reset emails not sent in special cases

    The system did not send password reset emails in cases where the user's email address matched the address of another user account that was disabled.

    12.0.22
  • Integration bus - Duplicate processing of integration tasks

    When utilizing a web farm setup together with the integration bus, a single integration task could be processed by multiple web farm servers (usually when the environment experienced heavy load). For example, this could result in duplicates of the processed object being created in the connected external system.

    12.0.21
  • Form controls - Inconsistent site selection when using the 'Related pages' form control

    When the 'Allow switch sides' setting was cleared and a 'Relationship name' was specified in the advanced editing control settings of a page type field that used the 'Related pages' form control, the resulting field did not allow adding of related pages from sites other than the current site.

    12.0.21
  • Email marketing - Changed priority of confirmation emails to normal

    Double opt-in, subscription, and unsubscription confirmation emails were sent with 'low' priority, which could cause long delays for subscribers on instances that sent out a large number of other emails. After applying the hotfix, the priority of such confirmation emails is set to 'normal'.

    12.0.21
  • Translation services - Microsoft Translator Text API updated from V2 to V3

    The hotfix updates the Microsoft Translator Text API from Version 2 (V2) to Version 3 (V3), because V2 will be discontinued on April 30, 2019. In addition, the 'Speak' method of the 'MicrosoftTranslatorService' class, which could be used in custom code for text-to-speech functionality, is no longer supported after applying the hotfix.

    12.0.20
  • Social media - URL shortening causing excessive CPU load

    When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.

    12.0.20
  • Portal Engine - Editable text web part did not display latest content in special cases

    When a page with a workflow applied contained an 'Editable text' web part, the latest version of the web part's content was not displayed in 'Preview' mode when viewing child pages which inherited the original page's content (via page nesting and the 'Page placeholder' web part).

    12.0.20
  • Staging - Product pages with associated SKUs not staged correctly in certain cases

    When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.

    12.0.19
  • On-line forms - Unable to remove fields via the Form builder tab on Portal Engine sites

    When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.

    12.0.18
  • Macros - Macro editor properties of email widgets not offering context-specific objects

    If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.

    12.0.17
  • Form controls - Uni selector not working correctly for values with special characters

    The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.

    12.0.17
  • Form builder - 'FormFieldRenderingConfiguration.GetConfiguration' event

    The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.

    12.0.17
  • E-commerce - Empty required values incorrectly synchronized from users to customers

    For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.

    12.0.17
  • Page builder - Scrolling not working for form components in the widget properties dialog

    When using custom form components in the configuration dialog for page builder widget properties, scrolling functionality was incorrectly disabled. As a result, form components with scrollable elements (e.g. advanced drop-down options) did not work when used to edit widget properties.

    12.0.16
  • Dialogs - 'modalDialog' function ignoring 'otherParams' in custom client code

    When calling the 'modalDialog' JavaScript function in custom client code within the administration interface, the function's 'otherParams' parameter was ignored in certain cases (in locations where the system opened an advanced modal dialog). As a result, developers could not control parameters such as the resizability of the opened dialog.

    12.0.16
  • Campaigns - utm_content parameter not logged or displayed for campaigns on MVC sites

    When running a campaign on an MVC site, the value of the 'utm_content' parameter used in the campaign's links was not logged correctly for conversions or displayed in the campaign's reports.

    12.0.16
  • API - 'ResourceStringInfoProvider.TranslationExists' method returning an incorrect result

    The 'ResourceStringInfoProvider.TranslationExists' method returned an incorrect result in certain cases (after the system's cache was cleared).

    12.0.16
  • Web parts & controls - Error when reselecting a linked file in the 'Javascript' web part

    An error occurred when attempting to select a file in the 'Linked file' property of the 'Javascript' web part if another file was already specified.

    12.0.15
  • General export - Unable to select custom contact fields for export

    When using the Advanced export feature for contacts in the 'Contact groups' application with the 'Export raw database data' option selected, it was not possible to select custom contact fields for the export.

    12.0.15
  • General - Requests containing query string parameters without a value causing errors

    Processing of requests containing a query string parameter without a value, such as '?param', could result in an error in certain scenarios. For example, the errors could occur for requests that loaded files and other resources.

    12.0.15
  • Form controls - 'SKU selector' not working with the 'Allow multiple choice' setting

    The 'SKU selector' form control did not work if its 'Allow multiple choice' setting was enabled.

    12.0.15
  • E-commerce - Image saved incorrectly for product variants

    If the product variant editing form (i.e. the 'Variant properties' alternative form of the 'SKU 'class) was customized to display the 'Image' field (SKUImagePath), the field's default 'Product image selector' form control did not correctly save information about uploaded image metafiles. This resulted in incorrect behavior, for example when displaying or staging the variant and its image.

    12.0.15
  • Web parts - Tabs of the 'Tabs layout' web part not hidden correctly in special cases

    Tabs displayed by the 'Tabs layout' web part were not hidden correctly in certain cases when their content was empty, even when the web part's 'Hide empty tabs' property was enabled. For example, the problem occurred if a tab contained a Repeater web part with an empty data source and the 'Hide if no record found' property enabled.

    12.0.14
  • Reporting - Parameter validation rules not working for reports displayed by web parts

    If a report had parameters with defined validation rules, the validation did not work when the report and its parameter filter were displayed on a website page using a reporting web part or widget.

    12.0.14
  • Pages - Unable to select an alternative URL redirection page when deleting linked pages

    When deleting a linked page from the content tree in the 'Pages' application, it was not possible to select an alternative page to which old URLs could be redirected.

    12.0.14
  • Form builder - Form markup customization

    The hotfix introduces additional API that enables more extensive markup customization options for forms built using the 'Form builder' feature. See the hotfix instructions for details.

    12.0.14
  • Web analytics - Tracking of visitors from the Seznam search engine

    The 'Seznam' search engine defined in the 'Search Engines' application had an obsolete domain configured in its 'Domain rule' property. As a result, visitors from the Seznam search engine (seznam.cz) were not being tracked accurately. After applying the hotfix, the system correctly tracks all visitors that access a site from the 'Seznam' search engine.

    12.0.13
  • REST - Failed REST authentication for passwords containing the colon character

    Authentication of requests to the Kentico REST service failed if the provided password contained the colon character (':').

    12.0.13
  • MVC - Error when adding widgets or form components with certain identifier suffixes

    If an MVC widget or form component was registered with an identifier containing a certain suffix (e.g. matching a blocked IIS extensions such as '.resources' or '.sitemap'), an error occurred when the item was added to the page or form builder.

    12.0.13
  • MVC - Resource files not copied as part of the publishing process

    When publishing an MVC live-site application (e.g., via the Visual Studio 'Publish' wizard), the publishing process did not copy certain .NET Resource (.resx) files. This resulted in unresolved resource strings in parts of the published application. The problem occurred when using versions 12.0.1 to 12.0.12 of the 'Kentico.AspNet.Mvc' NuGet package. From package version 12.0.13, all necessary resource files are copied during the publishing process.

    12.0.13
  • Form builder - Invalid characters allowed as part of the 'Name' property of form fields

    The system allowed invalid characters as part of the 'Name' property of form fields (adjustable via the Properties tab of the MVC Form builder). After applying the hotfix, the 'Name' property must begin with a letter or an underscore ('_') character and may contain only letters, numbers, and additional underscore characters.

    12.0.13
  • Event management - Event attendees removed after deleting a culture version of an event

    All event attendees stored for an event, represented as a page of the 'Event (booking system)' page type, were removed when one of the page's culture versions was deleted. After applying the hotfix, event attendees are removed only after the deletion of the event's last remaining culture version.

    12.0.13
  • Page builder - 'GetPage' method causing errors for widgets without properties

    Calling the 'GetPage' method in the Index action of an MVC widget without any properties defined resulted in an error when the widget was displayed.

    12.0.12
  • Form components - Text area form component character limit removal

    The hotfix removes the 500 character restriction placed on the 'Text area' form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. However, note that this change is only reflected in form fields created after the hotfix was applied. See the hotfix instructions for details.

    12.0.12
  • Email marketing - Incorrect sending of unsubscription confirmation emails

    The system did not send confirmation emails to recipients who unsubscribed from a single email feed of the 'Email campaign' type. Additionally, confirmation emails were incorrectly sent in certain cases after unsubscribing from all email feeds (email campaigns and newsletters), which is not intended behavior.

    12.0.12
  • E-commerce - Custom tax exemptions for customers not applied correctly

    If a tax exemption for customers was created by registering a custom 'ICustomerTaxClassService' implementation, it was only applied for products with a tax class that had the 'Zero tax if tax ID is supplied' property enabled. After applying the hotfix, the property no longer affects custom tax exemptions (unless checked in the code of the custom implementation).

    12.0.12
  • URL rewriting & SEO - Custom "Page not found" page not displayed for POST requests

    If the default CSRF security token functionality was disabled using the 'CMSEnableCsrfProtection' web.config key, custom 404 error handling pages assigned through the 'Page not found URL' setting were not displayed when a POST request targeted a non-existing URL (by default the standard IIS 404 page was displayed instead).

    12.0.11
  • Page builder - Errors with widgets and sections using actions other than 'Index'

    Widgets or sections that utilized actions other than 'Index' (for example the submit action of the default 'Form' widget) did not work correctly in certain scenarios. The problem could occur if the MVC application's route collection did not contain a general route with a controller and action parameter, or if a different route with a custom controller and the 'Index' action matched the page builder URLs.

    12.0.11
  • MVC - Page builder and preview did not work on pages accessed through MVC redirects

    Page builder and preview functionality did not work on pages whose controller and action was accessed through another action using an MVC redirect method (for example 'RedirectToAction').

    12.0.11
  • Form controls - Error when saving fields using the 'Form field selector' form control

    A validation error occurred when attempting to save a field with the 'Form field selector' form control if the control's 'Field data type' setting was set to the 'All' option.

    12.0.11
  • MVC - Missing preCondition for the CMSApplicationModule on MVC sites

    After installing or updating the 'Kentico.AspNet.Mvc' NuGet package, the 'CMSApplicationModule' module in the MVC project's web.config file did not contain the 'preCondition' attribute, which could have a negative performance impact on the application. Versions 12.0.10 and newer of the package ensure that the preCondition is correctly set to 'managedHandler'.

    12.0.10
  • Staging - Processed tasks not removed from the staging queue in certain cases

    If multiple staging tasks were synchronized in a single batch, and the synchronization failed for one or more of the tasks, the entire batch remained in the task list (including tasks that were already successfully processed).

    12.0.9
  • Search - Move operation on indexed pages causing a full index update

    A move operation on a subset of pages under an Azure search index redundantly updated all pages in the corresponding index. This could result in very long indexing operations on sites with a large number of indexed pages.

    12.0.9
  • General - Error when processing bundle requests

    Processing of requests to virtual paths defined by the Microsoft ASP.NET Web Optimization Framework, such as JavaScript or CSS bundles, resulted in an error (null reference exception). The errors occurred only for requests handled by the Kentico web project (not in MVC applications using the Kentico API).

    12.0.9
  • E-commerce - Inventory availability check may fail for concurrently placed orders

    Products that use inventory tracking and have the 'Sell only if items available' property enabled may in some cases be sold even when the inventory is depleted if multiple customers place orders concurrently. After applying the hotfix, the system logs a warning into the event log if such a situation occurs. Additionally, the hotfix introduces the 'CMSUseStrictInventoryManagement' web.config key, which you can enable to prevent the system from creating such orders. If you enable the key and have an MVC site or Portal Engine site with custom checkout components, you need to ensure that your custom code handles the resulting 'InvalidOperationException' and displays appropriate information to customers.

    12.0.9
  • Staging - Pages with an SKU not staging correctly in certain cases

    When a page with an associated SKU was synchronized with the 'Publish from' field set to a future date, fields of the SKU were not staged correctly (except the name and description fields).

    12.0.8
  • Staging - Relationship between products and pages broken after synchronizing pages

    Synchronizing pages with an associated product (SKU) could break the relationship between the page and the product on the target server (in cases where the IDs of the given SKU were different between the staging instances).

    12.0.8
  • Search - Certain transformation methods not working correctly for search results

    The 'DataItemCount', 'IsFirst()' and 'IsLast()' transformation property and methods did not work correctly for data returned by the smart search (for example in transformations used by the 'Smart search results' web part). After applying the hotfix, the property and methods return the correct values for the currently displayed page of results.

    12.0.8
  • Personas - Recalculation of personas not enabled after adding a new rule

    The system did not allow users to manually recalculate a persona after a new rule was added for the persona in the 'Personas' application.

    12.0.8
  • Dialogs - Image resizing not working correctly in certain media selection dialogs

    When selecting or uploading an image file in certain types of media selection dialogs (for example in a page field using the 'Media selection' form control), resizing of the image with a locked aspect ratio did not work correctly.

    12.0.8
  • User interface - 'Order by' property of UI selector components

    The 'Order by' property of the 'Selector' UI web part did not work, and also could not be set through the properties of UI elements that used the 'Listing with general selector' page template. After applying the hotfix, custom UI elements based on this template can now have their selector order by value configured through a new property.

    12.0.7
  • Form components - Unable to set a default value via the 'EditingComponent' attribute

    The 'DefaultValue' property of the 'EditingComponent' attribute did not initialize form components (e.g., in forms or widget properties dialogs) with the specified default value. After applying the hotfix, the 'DefaultValue' property correctly sets a form component's default value when necessary.

    12.0.7
  • Workflow - Saving multiple pages under a workflow could cause a deadlock

    When multiple content editors attempted to save pages under a workflow in the Pages application, a deadlock could occur in certain cases.

    12.0.6
  • Page types - Incorrect order of new fields in inherited page types

    If an existing page type inherited fields from another page type, and a new field or category was added to the parent, the position of the new field in the inherited type could be incorrect (the order was not adjusted according to the inherited type's own additional fields). After applying the hotfix, such new fields are always added directly below the inherited field that precedes the new field in the parent page type.

    12.0.6
  • Page types - Default value of page type fields always loaded in the editing form

    The 'Default value' of page type fields was always loaded in the editing form, even for existing pages that had a different value specified. Saving such forms could cause users to make unintended changes in the page data. The problem was introduced by applying hotfix 12.0.5. However, applying hotfix 12.0.6 reverts an older bug fix, and prevents the default value from being applied for the following system page fields: DocumentInheritsStylesheet, DocumentShowInSiteMap, DocumentMenuItemHideInNavigation, DocumentIsArchived, DocumentUrlPath, DocumentWildcardRule and DocumentPriority.

    12.0.6
  • MVC - Page builder not working when initialized in an MVC Area

    If the page builder was initialized in a controller of a page located in an MVC Area, an error was displayed instead of the content on the live site and when previewing the page.

    12.0.6
  • Data protection - Personal data not removed for identifiers containing special characters

    When erasing personal data from the system in the 'Data protection' application on the 'Right to be forgotten' tab, data subject identifiers (e.g. an email address) that contained certain special characters, such as '+', were not processed correctly, which could result in data not being removed.

    12.0.6
  • Web parts - Incorrect 'Users data source' order by behavior in special cases

    The 'Users data source' web part did not order data correctly if the 'ORDER BY condition' property contained multiple columns with different order directions (ASC or DESC keywords). The last order keyword was incorrectly used for all columns.

    12.0.5
  • Search - Operations with indexed pages resulting in an unresponsive user interface

    Created Azure search indexing tasks were processed synchronously, which could result in an unresponsive user interface (e.g., when manipulating indexed pages in the content tree). After applying the hotfix, created Azure search tasks are processed asynchronously in one-minute intervals (if not customized otherwise).

    12.0.5
  • Scheduler - High memory consumption by the Windows scheduler service

    The external Windows service for running scheduled tasks did not release allocated memory correctly in certain cases, which resulted in high memory consumption.

    12.0.5
  • Page types - Certain macros not resolved in required fields when creating new pages

    If a macro expression was added into the 'Default value' of a page type field with the 'Required' flag enabled, certain types of macros, for example {% EditedObject %}, were not evaluated correctly and returned a null value when creating new pages of the given type.

    12.0.5
  • MVC - Page and form builder errors for MVC sites with URLs converted to lower case

    If an MVC site was configured to convert URLs to lower case (by setting the 'RouteCollection.LowercaseUrls' property to true in the code of the related MVC project), errors occurred in certain parts of the page builder and form builder interface, for example the widget property configuration dialog.

    12.0.5
  • Import toolkit - Issues when using the Import Toolkit with continuous integration enabled

    The Import Toolkit utility did not reflect application keys in the web.config file of the related Kentico project. For example, this caused incorrect behavior when importing data with continuous integration enabled and a custom repository path configured in the target project's web.config. Additionally, serialization of continuous integration data was incorrectly performed when running a simulated import of data in the utility. To fix the issues, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    12.0.5
  • Email marketing - Email links not tagged with UTM parameters in certain cases

    The 'Process domain prefix' setting was not taken into account when tagging links in marketing emails with UTM parameters. If the domain prefix in an email link's URL was different from the prefix in the main domain set for the site, the given link was not tagged with the specified UTM parameters.

    12.0.5
  • Search - Indexing errors when working with page categories in certain cases

    Updating or assigning page categories caused indexing tasks for Azure indexes of the 'Pages' type to fail if the index was newly created and not yet rebuilt, or if the subset of the content tree to be indexed, as specified on an index's 'Indexed content' tab, did not yet contain any pages.

    12.0.4
  • Licensing - Page builder license error for editions lower than EMS

    A license limitation error was logged for license editions lower than EMS when working with MVC widgets in the page builder. After applying the hotfix, such errors only occur if there are personalization condition types registered in the system (which require an EMS license).

    12.0.4
  • Staging - Staging tasks not logging into appropriate task groups in certain cases

    When an advanced workflow containing an asynchronous step (e.g., the 'Wait' or 'Send email' step) was applied to a page in a staging environment, changes to the page past the asynchronous step were not logged into the selected staging task group.

    12.0.3
  • Search - Invalid surrogate pair exception when indexing page attachment content

    When indexing page attachments, errors caused by invalid Unicode surrogate pairs in PDF files terminated the indexing operation. Since such invalid surrogate pairs can occur in otherwise valid PDF files, the pairs are now stripped during the indexing process.

    12.0.3
  • Email marketing - Newsletters could not be sent with lower than EMS licenses

    When sending newsletters, the "License for feature 'NewsletterABTesting' not found" error was logged in the event log and the newsletters were not sent on sites with lower than EMS licenses.

    12.0.3
  • Chat - 'Chat support request' web part not displaying in certain cases

    The 'Chat support request' web part did not render correctly in certain cases (e.g., on 404 error pages).

    12.0.3
  • Authentication - Multi-factor authentication validity interval customization

    The system disregarded all multi-factor authentication validity interval customizations (via overriding the 'ClockDriftTolerance' property).

    12.0.3
  • Web parts - Related pages displayed with the 'Repeater' web part ordered incorrectly

    The 'ORDER BY expression' field was not taken into account when displaying related pages using the 'Repeater' web part. The default order of the related pages was always displayed.

    12.0.2
  • Search - Improved error handling when indexing page attachment content

    When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message contains the ID and name of the attachment causing the exception.

    12.0.2
  • Licensing - Product related errors on sites with Base or lower license editions

    Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.

    12.0.2
  • Groups - Incorrect permissions required for accessing Group forum groups

    When accessing forum groups belonging to a specific group on the 'Forums' tab of the 'Group' application, more strict permissions than necessary were required.

    12.0.2
  • Contact management - Unable to set the 'Subsidiary of' field for accounts in certain cases

    When setting the 'Subsidiary of' field on the 'General' tab of an account in the 'Contact management' application, the system did not preserve the account selection if the parent account was selected via the '(more items…)' dialog window.

    12.0.2
  • On-line Marketing - Incorrect 'Activity URL' for Form submission activities on MVC sites

    Activities of the 'Form submission' type were logged with an incorrect 'Activity URL' value on content-only (MVC) sites. After applying the hotfix, such activities are logged with the URL of the page displaying the given form.

    12.0.1
  • Event log - Deleting of old events not working

    When logging new events into the event log, the system did not delete old events according to the limit specified in the 'Event log size' setting.

    12.0.1
  • Email marketing - Incorrect subscriber data after merging contacts from different sites

    On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.

    12.0.1
  • Security bugsFixed in version
  • URL hashing security improvements  Moderate

    Description

    The hotfix introduces an additional layer of security for URLs containing hashed strings, which prevents attackers from reusing hash values.

    Details

    Issue type:
    Cryptography
    Security risk:
    Moderate
    Found in version:
    12.0.102 and lower
    Fixed in version:
    12.0.103
    Fixed date:
    7/3/2023
    Reported by:
    External Company

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.103
  • Denial of service caused by improper input validation  Important

    Description

    A specially crafted request sent to the GetResource handler may have been used to launch a denial-of-service attack. The vulnerability was fixed via input validation.

    Details

    Issue type:
    Denial of Service
    Security risk:
    Important
    Found in version:
    12.0.98 and lower
    Fixed in version:
    12.0.99
    Fixed date:
    4/8/2022
    Reported by:
    Federico Girardi

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.99
  • Possible information disclosure in form control error messages  Informative

    Description

    If an error occurred when rendering a Portal Engine form control, the error message displayed on the live site included stack trace information.

    Details

    Issue type:
    Information disclosure
    Security risk:
    Informative
    Found in version:
    12.0 and below
    Fixed in version:
    12.0.92
    Fixed date:
    12/11/2020
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.92
  • Error messages in the administration interface vulnerable to XSS  Important

    Description

    There were several occurrences of a cross-site scripting vulnerability when the administration interface displayed an error message containing malicious user input (in object names). The issue was fixed by sanitizing special characters displayed in the error messages.

    Details

    Issue type:
    Cross-site scripting
    Security risk:
    Important
    Found in version:
    12.0.90 and below
    Fixed in version:
    12.0.91
    Fixed date:
    11/6/2020
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.91
  • Method used to resolve URLs was vulnerable to XSS  Important

    Description

    There were several occurrences of a cross-site scripting vulnerability when the system resolved URLs whose relative part contained a special sequence of characters. The vulnerability occurred in the administration interface, as well as controls that could be used on the live site. The issue was fixed by filtering out these characters.

    Workaround for all Kentico versions

    A manual workaround for this issue is to add URL sequences from "/(A(" to "/(Z(" to the <denyUrlSequence>  web.config element. The web.config should contain the following:

    <denyUrlSequences>
        <add sequence="/(A(" />
        <add sequence="/(B(" />
        ...
        <add sequence="/(Z(" />
    </denyUrlSequences>

    Details

    Issue type:
    Cross-site scripting
    Security risk:
    Important
    Found in version:
    12.0.74 and below
    Fixed in version:
    12.0.75
    Fixed date:
    6/26/2020
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.75
  • Administrators able to edit Global administrator users  Important

    Description

    Users with the 'Administrator' privilege level were able to send requests that modified other users with the higher 'Global administrator' privilege level (this was not possible directly in the user interface). Such changes could cause the global administrator to lose their privilege level, which could also impact the live site by invalidating security-sensitive macros signed by the given administrator. This vulnerability could not be used for privilege escalation.

    Details

    Issue type:
    Missing access control
    Security risk:
    Important
    Found in version:
    10.0
    Fixed in version:
    12.0.60
    Fixed date:
    2/28/2020
    Reported by:
    Denis Styopochkin - Security Engineer, SoftServe

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.60
  • Flawed MIME type validation for uploaded files  Important

    Description

    Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.

    Details

    Issue type:
    Cross-site scripting
    Security risk:
    Important
    Found in version:
    9.0 - 12.0.49
    Fixed in version:
    12.0.50
    Fixed date:
    11/29/2019
    Reported by:
    Ataberk Yavuzer

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.50
  • Virtual context URLs leak via the HTTP Referer header  Moderate

    Description

    URLs pointing to third party domains leaked virtual context information via the HTTP Referer header. This occurred, for example, when a user editing an MVC page in the page builder clicked on a link or displayed an image loaded from a third party domain.

    Workaround for all Kentico versions
    The workaround for this issue is to add the 'meta referrer' tag to the HTML output of your MVC pages, i.e. set: <meta name="referrer" content="origin">.

    Details

    Issue type:
    Information Security Disclosure
    Security risk:
    Moderate
    Found in version:
    12.0.47
    Fixed in version:
    12.0.48
    Fixed date:
    11/15/2019
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.48
  • Unrestricted file upload in MVC forms  Important

    Description

    For files uploaded through forms on MVC sites using the 'File uploader' form component, it was possible to change the recorded original file name on subsequent requests after the initial upload was successful. This allowed upload of any file types to the system. Only users with the 'Read data' permission for the 'Forms' module were able to access these files.

    Details

    Issue type:
    Unrestricted File Upload
    Security risk:
    Important
    Found in version:
    12.0.29
    Fixed in version:
    12.0.37
    Fixed date:
    8/30/2019
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.37
  • User widget properties disclosing system object information  Moderate

    Description

    An authenticated user was able to view certain system objects through the live site widget properties dialog.

    Details

    Issue type:
    Information Security Disclosure
    Security risk:
    Moderate
    Found in version:
    12.0.0 and below
    Fixed in version:
    12.0.32
    Fixed date:
    7/26/2019
    Reported by:
    Kentico Security Team

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.32
  • Unauthenticated Remote Code Execution through .NET object deserialization in staging service  Critical

    Description

    Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted.

    Workaround for all Kentico versions
    The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
     1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
     2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
     3. 'Save' the changes

    Details

    Issue type:
    Remote Code Execution
    Security risk:
    Critical
    Found in version:
    9.0 - 12.0.14
    Fixed in version:
    12.0.15
    Fixed date:
    3/22/2019
    Reported by:
    Aon’s Cyber Solutions

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    12.0.15

Hotfixes for 11.x

Fixed Bugs   Security Bugs
  • Bug DescriptionFixed in version
  • Social media - URL shortening causing excessive CPU load

    When using URL shorteners to process links in text posted to social media, the application consumed excessive resources on the server (CPU) if the link URLs contained certain special characters. The problem also occurred when calling the 'URLShortenerHelper.ShortenURLsInText' method in custom code.

    11.0.49
  • E-commerce - Undetected breaking change for custom tax calculation implementations

    Applying hotfix 11.0.39 or newer introduced a change in the e-commerce API, which could cause undetected broken functionality for sites with a customized tax calculation process. After applying hotfix 11.0.47, such cases now clearly result in a runtime and compilation error. Any custom code that prepares 'TaxCalculationResult' objects can no longer use the setter of the 'TotalTax' property, and must instead set the new 'ItemsTax' and 'ShippingTax' properties.

    11.0.47
  • E-commerce - Product related errors on sites with Base or lower license editions

    Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.

    11.0.47
  • Search - Improved error handling in page attachment content indexing

    When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message now contains the ID and name of the attachment causing the exception.

    11.0.46
  • Email marketing - Incorrect subscriber data after merging contacts from different sites

    On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.

    11.0.46
  • Form controls - Selection dialog for '(more items...)' not opened in certain cases

    If certain drop-down selector form controls (e.g. the 'Uni selector' in 'Single drop down list' selection mode) were placed into a form that was displayed in a dialog, such as the web part configuration dialog, and the field's settings also used an 'Enabled condition', clicking the '(more items...)' option in the list did not work correctly and the additional selection dialog was not opened.

    11.0.45
  • E-commerce - 'OrderDiscount' property not set for shopping cart objects in custom code

    When writing custom code that obtained a shopping cart object for an existing order using the 'ShoppingCartInfoProvider.GetShoppingCartInfoFromOrder' method, the cart's 'OrderDiscount' property was not set and always returned 0 (until the shopping cart was recalculated by calling its 'Evaluate()' method).

    11.0.45
  • Data protection - 'Contact has agreed with consent' macro rule not evaluating correctly

    The 'Contact has agreed with consent' macro rule was not evaluated correctly in certain types of conditions (for example in marketing automation process triggers), and always returned a false value.

    11.0.45
  • Import/Export - Page type and custom table permissions not imported

    When importing a page type or custom table on an instance where the given object did not exist yet, role permissions configured for the page type or custom table were not imported.

    11.0.44
  • Facebook connect - Facebook authentication not working

    Authentication failed when signing in to a website through the 'Facebook Connect logon' web part (a JavaScript error occurred due to changes in the Facebook SDK).

    11.0.44
  • E-commerce - Error on product detail pages with info messages for unavailable variants

    An error occurred on pages that displayed product details using an ASCX transformation containing the 'ShoppingCartItemSelector' control, if the control's 'UnavailableVariantInfoEnabled' property was enabled and the displayed product did not have any defined variants.

    11.0.44
  • Search - Local search indexes not working on scaled out Azure Web Apps

    Local search indexes did not work when running Kentico as a scaled out Azure Web App with the 'CMSSharedFileSystem' web.config key enabled (this key was introduced in hotfix 11.0.23).

    11.0.43
  • Pages - Pages under workflow incorrectly published after restoration from the recycle bin

    Attempting to publish a page under a workflow after restoring it from the recycle bin worked incorrectly. This happened only if the workflow was applied to an existing page after its creation.

    11.0.43
  • Import/Export - Unable to execute certain scheduled tasks imported from an older version

    If the 'Membership reminder', 'Report subscription sender' or 'Users delete non activated user' scheduled tasks were imported within a package from an older version, the given tasks could not be executed due to an incorrect assembly and class name.

    11.0.43
  • General export - Text containing special characters malformed in the exported files

    When using the general export feature of listings in the administration interface (export to Excel, CSV or XML files), text data containing special characters, such as diacritics, could be malformed in the exported files.

    11.0.43
  • Social Media - Facebook integration features not working

    Due to changes in the Facebook API and updated security requirements, the initial Facebook authentication and page publishing functionality in Kentico no longer works. To use the features, you need to apply the hotfix, and manually set 'Valid OAuth redirect URIs' for your Facebook app, and ensure that it has the required permissions via the Facebook App Review. See the hotfix instructions for details.

    11.0.42
  • Search - Azure Search indexing blocked after updating an excluded page

    On sites using an Azure Search index, updating a page that had the 'Exclude from search' option enabled (on the 'Properties -> Navigation' tab of the Pages application) resulted in a failed indexing task, which blocked further processing of Azure Search tasks (until the failed task was manually deleted).

    11.0.42
  • Pages - Unsaved changes message displayed incorrectly for 'Uni selector' page fields

    A warning message about not saved changes was displayed after editing and saving a page field using the 'Uni selector' form control (on the Form or Content tab of the Pages application). The warning message was displayed even when all changes were correctly saved.

    11.0.42
  • Pages - Incorrect deleting of page templates shared by multiple culture versions

    If a multilingual page used an ad-hoc page template shared by all culture versions, deleting a culture version of the page also permanently deleted the page template (this caused the remaining culture versions to display blank content). After applying the hotfix, templates shared by multiple culture versions are deleted only after deleting the last culture version of a page.

    11.0.42
  • MVC - Output caching not working on MVC sites for registered users

    Output caching did not work correctly on the pages of MVC sites for registered users due to unnecessary cookie operations performed by the system. The problem affected users whose 'Preferred user interface culture' was set to '(default)', for example newly registered users.

    11.0.42
  • Email marketing - A/B testing variants of emails not evaluated correctly by some macros

    Certain macros related to email marketing did not take A/B testing variants of emails into account. For example, this could lead to incorrect evaluation of conditions that used the "Contact has opened marketing email" macro rules.

    11.0.42
  • Search - Page crawler search indexes not working for content only page types

    Smart search indexes of the 'Pages crawler' type used incorrect URLs for pages of content only page types, which prevented content from being indexed (for example on MVC sites).

    11.0.41
  • Page types - Default values not applied for some system page fields

    When adding system page fields to a page type (fields with the 'Field type' set to 'Page field'), the 'Default value' was not applied in the resulting editing form for certain system fields, for example 'DocumentMenuItemHideInNavigation'.

    11.0.41
  • Email marketing - Incorrect detection of existing subscribers with double opt-in

    If a contact was already subscribed to a newsletter with double opt-in enabled and attempted to subscribe again after the double opt-in interval had expired, the system did not inform them about the existing subscription. Similarly, calling the 'IsSubscribed' API method of the default 'ISubscriptionService' in custom code incorrectly returned a false value in these cases.

    11.0.41
  • Pages - Incorrect validation of changes to page form fields

    When a page field was edited on the Form tab of the Pages application with a value that did not meet the requirements of a validation rule, repeated submission of the data (e.g., moving to the next workflow step) incorrectly resulted in successful validation (while the original data was submitted).

    11.0.40
  • Scheduler - Incorrect next run time for tasks running on specific days of the week

    If a scheduled task was configured to run only on specific days of the week, the 'Next run' time was calculated incorrectly under certain circumstances.

    11.0.39
  • Email marketing - Duplicate marketing emails sent in web farm environments

    On sites running in a web farm environment, duplicate copies were sent out for a portion of newsletter or email campaign emails in certain cases.

    11.0.39
  • Attachments - Incorrect resizing of attachment images according to device profiles

    Resizing of attachment images according to device profiles did not work correctly. Resizing was performed according to the device profile active when the image was requested for the first time. The result was cached and incorrectly served for all other profiles until the cache expired.

    11.0.39
  • E-commerce - PayPal payments failed when prices included tax

    Payments using the default PayPal provider failed if the site was configured to include tax in prices. If you have customized the tax calculation process by creating your own 'ITaxCalculationService' implementation, you need to manually update your code after applying the hotfix. When preparing 'TaxCalculationResult' objects, set the new 'ItemsTax' and 'ShippingTax' properties instead of the original 'TotalTax'.

    11.0.39
  • Macros - 'Documents' macro not returning columns of specific page types

    If the 'Documents' macro was used together with the 'Columns' macro method, the returned pages did not contain coupled data columns of specific page types (even when the 'WithAllData' property was added to the Documents collection, and the given columns were specified in the 'Columns' method).

    11.0.38
  • Macros - The 'RelatedDocuments' macro returning incorrect pages

    The 'RelatedDocuments' property available for page objects in macros did not work correctly (the macro is used to retrieve a collection of all pages related to the given page through a relationship with the specified name).

    11.0.38
  • Field editor - Error when creating Binary type fields

    An unhandled error occurred when creating fields with a data type for which no form control was available (e.g. 'Binary' type fields in custom module classes). After applying the hotfix, the error no longer occurs in these cases and the 'Form control' selector is disabled. However, it is still necessary to implement a custom form control if you wish to display fields of the given type in forms.

    11.0.38
  • Contact management - Account primary and secondary contacts removed when merging contacts

    The primary or secondary contact assigned to an account was removed if the corresponding contact was merged with another contact (for example with a new anonymous contact).

    11.0.38
  • Form controls - reCAPTCHA generating invalid HTML

    When a field using the 'reCAPTCHA' form control was added to a form, the resulting HTML code was invalid (a <span> tag containing <div> elements). After applying the hotfix, the rendered <span> is replaced by a <div>.

    11.0.37
  • Form controls - 'HTML5 input' control only allowed integer values for certain attributes

    The 'HTML5 input' form control only accepted integer (whole number) values when configuring the 'Max', 'Min' and 'Step' attributes. After applying the hotfix, other types of values, such as decimal numbers or dates, can be saved into the attributes.

    11.0.37
  • Sites - Stack overflow error when switching sites

    In special cases, switching between sites in the header of the administration interface could cause an error (stack overflow exception) and a possible site crash. The problem occurred only on instances with customizations performing certain types of actions within handlers for the user update event.

    11.0.36
  • Licensing - License error when using certain cultures

    Licenses were not loaded correctly when using cultures with certain calendar types (for example the Persian calendar).

    11.0.36
  • Pages - Incorrect order of page aliases with wildcards in certain cases

    Page aliases containing wildcards were processed in an incorrect order in certain cases. For example, if a page had two aliases with paths like '/page/{param}' and '/page/{p1}-{p2}', accessing the URL path '/page/value1-value2' resulted in the first alias being selected instead of the second (the value of the 'param' parameter was 'value1-value2', and the 'p1' and 'p2' parameters were not set). After applying the hotfix, you need to resave all page aliases where this problem occurs.

    11.0.35
  • WYSIWYG editor - Options dialog not working for SCAYT functionality

    After enabling SCAYT (Spell Check As You Type) functionality in the editor, the options dialog (languages, dictionaries, etc.) did not work correctly.

    11.0.34
  • Personas - Personalization based on personas not working correctly on web farms

    On sites running in a web farm environment, content personalization conditions based on the visitor's persona were not evaluated correctly in some cases, which caused the incorrect personalized content to be displayed.

    11.0.34
  • Continuous integration - 'PathTooLongException' errors with insufficient information

    If the serialization of an object by the continuous integration solution failed because the resulting file's absolute path exceeded the maximum limit of 260 characters, the system logged a 'PathTooLongException' error into the event log without any additional debugging information. After applying the hotfix, the error message contains the absolute path of the file.

    11.0.34
  • Search - Locked search index files on shared file systems

    When storing smart search indexes on a shared file system (for example Azure Blob storage or on instances deployed to Azure Web Apps), the index files could become locked if an application restart occurred while building or updating an index. This blocked further index operations, such as index rebuilds. After applying the hotfix, the system is able to automatically resolve most scenarios related to locked index files. If your system already contains index lock files created before applying the hotfix, you need to manually delete them from the file system.

    11.0.33
  • E-commerce - Incorrect total value in 'Sales' and 'Number of orders' reports

    The 'Sales' and 'Number of orders' e-commerce reports displayed an incorrect "Total" value when filtering with a specific 'To' date was used.

    11.0.33
  • Web parts - Error when selecting queries with SQL Server 2008 R2

    On instances with a database hosted on SQL Server 2008 R2, an error occurred when selecting a query in the configuration dialog of a custom query web part (for example via the 'Query name' property of the 'Repeater with custom query' web part). The issue only occurred after applying hotfix 11.0.12 or newer.

    11.0.32
  • Salesforce - FormatException when loading an empty field value in the Salesforce API

    When using the Kentico integration API for Salesforce in custom code, a FormatException error occurred after executing a SOQL query that returned an empty value for a field.

    11.0.32
  • User interface - Incorrect selection dialog behavior when using filtering

    When using a selection dialog to select items with a specified filter (e.g., adding applications filtered by name to the default system dashboard for individual roles via the 'Roles' application), the filtering operation was also applied to the existing selection of items, often causing the loss of a portion of the selected items.

    11.0.31
  • General export - Export menu not working in Contact demographics

    The menu providing data export options did not work in the 'Contact demographics' report accessible from the 'Email marketing' and 'Campaigns' applications.

    11.0.30
  • Email marketing - Error when creating email feeds with multiple sites on a single domain

    In an environment with multiple sites running on a single domain, an error occurred when a user tried to create a new email feed in the 'Email marketing' application.

    11.0.30
  • Form controls - Country selector form fields not displaying states in special cases

    The 'Country selector' form control did not display the state selector element if used for a field in a form that was placed into an editable text area through the 'On-line form' inline widget.

    11.0.29
  • E-commerce - Displaying invalid coupon codes in the shopping cart

    When displaying coupon codes added to a customer's shopping cart, it was not possible to adjust the appearance of codes that are no longer valid (for example after the cart's total price falls under the value required by the coupon code's discount). After applying the hotfix, coupon code transformations provide an 'IsApplied' data property, which can be used to evaluate whether codes are still valid.

    11.0.29
  • Transformations - Access denied for hierarchical transformations in the Pages application

    Users without the administrator privilege level encountered an 'Access denied' error when attempting to edit hierarchical transformations from the web part configuration dialog in the Pages application, even if they had sufficient permissions for the 'Design' and 'Content' modules.

    11.0.28
  • Sites - Site stopped after saving an already used domain alias

    After attempting to save a domain alias with a domain value that was already used by another alias (on the same site or another site), the edited site was stopped.

    11.0.28
  • General export - Error when exporting data of all page aliases

    When using the Advanced export feature for page aliases in the 'View all aliases' dialog in the Pages application, an error occurred if the 'Current page only' option was disabled.

    11.0.28
  • Event log - Missing user name data for events logged under impersonation

    When an administrator performed actions while impersonating another user, entries created in the system's event log did not contain the administrator's original name (only the name of the impersonated user).

    11.0.28
  • Email marketing - Sending error with bounced email monitoring and a sender name comma

    Sending of marketing emails failed if monitoring of bounced emails was enabled and the sender name configured for the email feed or specific email contained a comma character.

    11.0.28
  • E-commerce - Users unable to manually create or edit coupon codes for gift cards

    Users without the administrator privilege level were not allowed to manually create or edit coupon codes for gift cards, even with sufficient permissions for managing gift cards.

    11.0.28
  • Data engine - Unsupported union operations in the IMultiQuery API

    The API incorrectly allowed 'Union', 'UnionAll', 'Intersect' and 'Except' operations to be used with IMultiQuery objects (most commonly 'MultiDocumentQuery' objects returned when retrieving pages of multiple types). These operations are not supported for such objects and generated incorrect queries. After applying the hotfix, such operations result in a "not supported" exception.

    11.0.28
  • On-line Marketing - Geolocation support for Maxmind GeoIP2 Databases

    By default, the geolocation feature uses MaxMind's GeoLite or GeoIP Legacy Databases, which will be discontinued in the future. The hotfix allows you to manually integrate the newer GeoIP2 Databases. To do this, you need to apply the hotfix, then install the 'Kentico.Geolocation.Update-v11' NuGet package, and add the required database files into your web project. See the hotfix instructions for details.

    11.0.27
  • Marketing automation - Incorrect newsletter unsubscription in automation processes

    'Unsubscribe from newsletter' action of the 'Newsletter subscription' step in Marketing automation did not work correctly.

    11.0.27
  • E-commerce - PayPal payments failed for orders with certain types of advanced discounts

    Payments using the default PayPal provider failed if the order had an applied Buy X Get Y discount or Product coupon discount with a certain type of additional condition (for example a discount available only for registered users).

    11.0.27
  • Web farms - Page URL paths of the 'Route' type not synchronized correctly between servers

    When a URL path value of the 'Route' type was modified for a page, the changes were not synchronized correctly between web farm servers.

    11.0.26
  • General export - Error when exporting activity data with non-default columns

    When using the Advanced export feature for the activity log in the 'Contact management' application, an error occurred if the 'Export raw database data' option was enabled and columns that are not included in the activity list by default were selected.

    11.0.26
  • Email marketing - Incorrect behavior of default values of email widget properties

    Default values of email widget properties were incorrectly applied whenever empty values were saved to the properties.

    11.0.26
  • Dialogs - Missing notification message in page content tree dialogs

    When performing page content tree actions in a modal dialog (for example moving a page), the interface could be confusing after switching to the listing mode that shows all sub-pages of a specific page. After applying the hotfix, a notification message is displayed to inform the user about the change of listing mode and to enable them to get back to the original listing.

    11.0.26
  • Widgets - Widgets disappeared on pages under workflow with content personalization enabled

    If content personalization was enabled, adding a widget with the 'Skip initial configuration' option enabled on a page under workflow could cause other widgets in the given zone to disappear after the page was saved.

    11.0.25
  • Email marketing - Email widget properties incorrectly reflected the UI culture

    Email widgets did not reflect the selected UI culture when storing their properties which could lead to an error when editing the widget. After applying the hotfix, you need to manually re-save the configuration of affected widgets in your emails.

    11.0.25
  • Web parts - Incorrectly resolved URLs of YouTube videos

    The system incorrectly resolved URLs of videos inserted via the 'YouTube video' web part or widget. The issue only occurred after applying hotfix 11.0.22 or newer.

    11.0.24
  • User interface - 'Clear' buttons in the Users application not working

    When clicking the 'Clear' button next to the 'In roles' and 'Not in roles' fields in the advanced user search on the 'Users' tab of the 'Users' application, the textbox field was not cleared.

    11.0.24
  • Translation services - Translations.com submission failed under certain circumstances

    Translations.com submission could fail when a page was submitted for translation into multiple cultures, but was already translated into some of the target cultures (even though the 'Skip already translated pages' checkbox was selected).

    11.0.24
  • General - Incorrect parsing of double numbers with a group separator

    The system did not accept values of the floating-point number (double) type that contained a digit group separator (thousands separator), but did not have a decimal part. The problem occurred only after applying hotfix 11.0.22 or newer.

    11.0.24
  • General - Web bots generating event log errors on pages with selectors

    Errors were generated in the system's event log when web bots, such as search engine crawlers, processed pages containing certain types of selector components (for example a country selector).

    11.0.24
  • Data protection - Improved performance when searching for personal data

    Searching for personal data in the 'Data protection' application was inefficient. Applying the hotfix improves the performance of the personal data search.

    11.0.24
  • Code generation - Invalid code generated for field descriptions with newline characters

    Code generated for page types, custom tables, forms or module classes was invalid if the given object had a field with a description containing newline characters. Saving the resulting code could lead to an error on the site (the code could not be compiled).

    11.0.24
  • Web farms - Issues with web farm task generation on shared file systems

    Redundant web farm synchronization tasks were being created and processed in environments where multiple web farm instances shared a single file system (e.g., when running Kentico in Azure Web Apps). This could lead to unwanted side effects, e.g., when synchronizing smart search indexes. The hotfix introduces a new 'CMSSharedFileSystem' web.config key that notifies web farm instances they are operating over a shared file system and configures them accordingly. See the hotfix instructions documentation page for more details.

    11.0.23
  • Localization - Resolving of resource strings not working with Async customizations

    If the '~\CMSPages\PortalTemplate.aspx' page was customized by adding the Async="true" attribute to the 'Page' directive, resolving of resource strings in page content did not work correctly.

    11.0.23
  • General - Error when using .NET Framework 4.7.2

    If the Target framework of a Kentico web project was set to .NET Framework 4.7.2, a compilation error occurred due to an ambiguous reference (ToHashSet method). The error could also occur after installing .NET Framework 4.7.2 if live site debugging was enabled on the live site.

    11.0.23
  • General - Access denied page in the administration interface showing a generic error

    The access denied page of the administration interface did not work correctly when running on certain types of domains, and a generic 403 error was displayed instead when a user attempted to access an administration page without the required permissions.

    11.0.23
  • Data protection - Incorrect culture for page links inserted into consent text

    Links to pages inserted into consent text in the 'Data protection' application did not always reflect the culture selected in the 'Language of consent' selector.

    11.0.23
  • Cookie consent - Cookie law web part disabled access to the admin UI

    When the 'Cookie law and tracking consent' web part was placed on a page and the 'Default cookie level' setting was set to 'System', users were repetitively signed out from the administration interface after attempting to view this page in the Pages application.

    11.0.23
  • Continuous integration - Custom table data not restored in special cases

    When running continuous integration configured to not exclude any object types, or using the object blacklist (i.e. having objects specified under the '<ExcludedObjectTypes>' element in the 'repository.config' file) and restoring a new custom table type already containing some data, the corresponding data was restored only after the second time continuous integration was run. After applying the hotfix, new custom table definitions together with their corresponding data are restored in a single run of the continuous integration application.

    11.0.23
  • Users - Global roles removed after assigning a site role to a user

    Adding a site-specific role to a user on the Roles tab in the Users application caused all global roles to be removed for the given user.

    11.0.22
  • On-line Marketing - Incorrect processing of on-line marketing activities in certain cases

    The processing of on-line marketing activities could malfunction and log errors in the event log under certain circumstances.

    11.0.22
  • General - Failed evaluation of validation rules in special cases

    Evaluation of form field validation rules could fail or lead to errors in special cases.

    11.0.22
  • Form controls - Macro security warnings logged when validating text area form fields

    If a field using a text area form control (e.g. 'Text area' or 'Rich text editor') had a specified maximum text length, the system logged macro security warnings in the event log when the text length was exceeded in the resulting form, even if the text did not contain any macros.

    11.0.22
  • Email marketing - Errors when sending emails to contacts merged from different sites

    Merging of contacts who subscribed to newsletters from different sites caused data inconsistencies, which could lead to errors when sending the newsletters.

    11.0.22
  • Web parts - Page templates containing certain web parts could not be checked in

    If object locking of page templates was enabled, templates containing the 'Customer address' or 'Customer detail' web part could not be checked in while displaying web part content (on the Design tab of the Pages application).

    11.0.21
  • Macros - Invalid macros in versioned transformations after re-signing

    Macros placed in the code of transformations could become invalid in special cases after re-signing macros in System -> Macros -> Signatures. The problem occurred if the macro expression contained certain characters (e.g. '<' or '>'), and object versioning was used for transformations, for example when undoing check-out or restoring an older version of a transformation.

    11.0.21
  • Continuous integration - Error when restoring objects with a 'Not required' reference

    An error occurred when restoring continuous integration files if the data contained an object with a field representing an optional reference to another object, and the referenced object was deleted (for example, the 'ItemCreatedBy' field of custom table data items referencing a user object). After applying the hotfix, such objects are restored successfully with a null value in the given reference field.

    11.0.21
  • Code generation - Invalid code generated for text fields with certain default values

    Code generated for page types, custom tables, forms or module classes was invalid if the given object had a field of the Text or Long text type with a default value containing certain characters (for example newlines or quotation marks). Saving the resulting code could lead to an error on the site (the code could not be compiled).

    11.0.21
  • Widgets - Error when selecting the '(more items...)' option in the widget Layout selector

    When selecting a layout of a widget in the 'Widgets' application, an error occurred if there was a large number of available layouts and the '(more items...)' option was selected.

    11.0.20
  • E-commerce - Coupon codes could be applied more than once in certain cases

    Discount coupon codes could be applied more than once during checkout in certain cases.

    11.0.20
  • Social Media - LinkedIn functionality updated to use OAuth 2.0

    Effective May 18th, 2018, the LinkedIn API will no longer work with the original OAuth 1.0 implementation in Kentico. The hotfix updates the system to use OAuth 2.0 authentication for LinkedIn company management and authentication functionality. After applying the hotfix, you need to add appropriate 'Authorized Redirect URLs' for your application in the LinkedIn developer portal, and also 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.

    11.0.19
  • On-line Marketing - 'Log on-line marketing activity' value reset for pages under workflow

    The 'Log on-line marketing activity' property was reset for pages under workflow every time a new version of the page was created.

    11.0.19
  • E-mail engine - Failed email sending if an address value ended with a semicolon

    Sending of emails failed and an error was logged in certain cases if one of the email address field values (e.g., email recipients) ended with a semicolon character (typically used as a separator between addresses). For example, the problem occurred when sending form email notifications.

    11.0.19
  • Users - User search incorrectly returning users from other sites

    When a user without the Global administrator privilege level searched for users in the 'Users' application, the results incorrectly included users who were not assigned to the current site.

    11.0.18
  • E-commerce - Localized product names not resolved in PayPal data

    If the names of products, option categories, product options, or product variants were localized using resource strings, the names were not resolved in the order data sent to PayPal when making payments through the default PayPal gateway. After applying the hotfix, localized product names are resolved into the content culture that was active for the customer during checkout.

    11.0.18
  • On-line Marketing - Users with sufficient permissions could not start automation processes

    Due to an incorrect permission check, users with the 'Start process' permission for the 'On-line marketing' module could not start automation processes.

    11.0.17
  • Continuous integration - Complex queries generated for certain actions with CI enabled

    When continuous integration was enabled, certain operations that affected a large number of related objects caused the system to generate extremely complex SQL queries, which could lead to incorrect behavior or logged SQL server errors. For example, the problem could occur after changing the 'Page alias' of a page.

    11.0.17
  • WYSIWYG editor - Setting the 'EnterMode' properties of 'CKEditorControl' in custom code

    When working with an instance of 'CKEditorControl' in custom code, setting the control's 'EnterMode' or 'ShiftEnterMode' properties did not correctly adjust the HTML output generated by the resulting editor.

    11.0.16
  • Security - POST requests to non-existing pages logging CSRF exceptions in the event log

    Due to a misconfiguration of the system, POST requests missing a CSRF token leading to nonexistent pages on sites with a configured 'Page not found URL' setting resulted in a 'CSRF' exception being logged in the 'Event log' application. After applying the hotfix, the system logs a standard 'PAGENOTFOUND' exception and returns the server's default 404 response.

    11.0.16
  • Email marketing - Opened emails and clicked links not tracked in certain cases

    Opened emails and links clicked within those emails were not being tracked when the recipient's email address contained a plus ('+') sign.

    11.0.16
  • Licensing - Less restricted license limitations on the number of products

    Applying the hotfix changes the license limitations on the maximum number of enabled products. The limit is removed completely for 'Kentico CMS Ultimate' license editions and increased to 500 products for 'Kentico CMS Base' editions.

    11.0.15
  • Caching - Incorrect output cache expiration for pages with a 'Publish to' value

    The expiration time of output cache items was incorrect for pages under workflow that had a 'Publish to' value specified (in cases where the 'Publish to' time occurred later than the expiration time determined by the 'Cache minutes' set for the output cache).

    11.0.15
  • Staging - Staging tasks not logged for the 'Settings' application

    Staging tasks were not logged for changes made in the 'Settings' application.

    11.0.14
  • Campaigns - License limitation error when using UTM parameters without an EMS license

    If a page with output caching enabled was accessed with UTM parameters in the URL query string, a license limitation error occurred if the site had a lower license edition than EMS.

    11.0.14
  • SharePoint - Error when loading SharePoint list data without the 'Title' field

    An error occurred when retrieving SharePoint list data that did not contain the 'Title' field.

    11.0.13
  • Search - Errors when processing custom table search tasks in special cases

    Processing of search indexing tasks for custom table data failed if the primary key column of the related custom table had a different name than 'ItemID'. Such custom tables can be created via the 'Use an existing database table' option in the custom table creation wizard.

    11.0.13
  • General - Error messages in the event log in special cases

    On instances using Windows authentication, an error was logged into the system's event log if a visitor's first request targeted a resource handler that used a read-only session (for example an attachment or media file URL).

    11.0.13
  • Form controls - Incorrect default values for 'Required' form fields in certain cases

    Form fields without a specified 'Default value' that had the 'Required' property enabled incorrectly contained a default value when using certain form controls. For example, if a required field of the 'Decimal number' data type used the 'Text box' form control and had no 'Default value' specified, the field's value was '0' in the resulting form.

    11.0.13
  • User interface - Duplicated name prefix in transformation and query selection dialogs

    The selection dialogs for queries and transformations incorrectly displayed the page type or custom table prefix twice in the names of the listed transformations or queries (for example when selecting a transformation in the configuration of a listing web part).

    11.0.12
  • E-commerce - Infinite loop when resolving current shopping cart macros in special cases

    If a macro that accessed the current shopping cart was added to a condition which the system resolved during the shopping cart calculation process, an infinite loop could occur, leading to a stack overflow error and possible server crash. For example, the problem could be triggered by using the 'ECommerceContext.CurrentShoppingCart' macro within the condition of a discount. Applying the hotfix prevents such errors. However the 'ECommerceContext.Current*' macros are not intended for use in shopping cart calculation conditions (e.g. discounts) and may still work incorrectly - use the Context specific macro objects instead.

    11.0.11
  • E-commerce - Customer addresses duplicated during checkout

    If a customer selected an existing address during checkout (via the 'Customer address' web part), another copy of the given address was created for the customer.

    11.0.11
  • Import/Export - Unwanted form definition updates when importing from an older version

    When importing a package from an older version that contained form, custom table, page type or module class objects, the field definitions and database structure of the given objects could be overwritten even if the objects were not selected during the import. Additionally, an error occurred in some cases when importing packages with this type of data.

    11.0.10
  • Form controls - New reCAPTCHA implementation

    The original implementation of the 'reCAPTCHA' form control will stop working after March 31, 2018. The hotfix updates the control to use reCAPTCHA v2 (allows users to prove they are human simply by clicking a checkbox). Please register your site again at https://www.google.com/recaptcha/admin, select the 'reCAPTCHA v2' type, and copy the new API keys into the corresponding Kentico settings.

    11.0.10
  • E-commerce - Error when viewing stand-alone SKUs

    When viewing stand-alone SKUs in the 'Products' application, an error was displayed above the list and the product data was not loaded correctly. The problem occurred only after applying hotfix 11.0.3 or newer.

    11.0.10
  • SharePoint - SharePoint data source incorrectly handling complex types

    The 'SharePoint data source' web part did not correctly handle multiselect fields with complex types. The hotfix ensures that the data source processes such fields into strings consisting of the type's properties separated by semicolon (;) characters, and individual entries separated by newline characters (environment specific). You need to manually parse the string within the transformations applied to the data source's output, for example: 'String.Split(Eval<string>("MultiselectField"), Environment.NewLine).Select(l => String.Format("{1} ({0})", String.Split(l, ";")))'

    11.0.9
  • Dashboards - Repetitive reloading of certain dashboard pages

    If the 'Allow preview mode on the live site' setting was disabled, certain widget dashboards in the administration interface reloaded constantly (for example the 'Dashboard' page in the 'Web analytics' application).

    11.0.9
  • Security - Improved security for Facebook integration features

    The hotfix adds support for app secret proof parameters when communicating with integrated Facebook apps. If your website uses the Facebook page integration features or Facebook authentication, we strongly recommend applying the hotfix and then securing your Facebook app. Configure your app at https://developers.facebook.com/apps and enable the 'Require App Secret' option in the 'Settings -> Advanced' section.

    11.0.8
  • Search - Synonym search not working

    The synonym search functionality of locally stored search indexes did not work (when using the 'Any words or synonyms' search mode).

    11.0.8
  • Bounced e-mails - Marketing emails sent to undeliverable contacts in special cases

    Marketing emails were incorrectly sent to contacts labeled as 'Undeliverable', if this status was reached after a marketing automation process set the number of bounced emails for the contact.

    11.0.8
  • Web analytics - Incorrect web analytics for cultures with a non-Gregorian calendar

    Logging of web analytics did not work correctly for cultures using a year numbering system different from the Gregorian calendar.

    11.0.7
  • Form controls - Value of fields named 'DisplayName' not saved correctly

    If a form contained a field named 'DisplayName' and another field using the 'User selector', 'Multiple user selector', 'User name selector' or 'Community group members selector' form control, the value of the DisplayName field was always overwritten to '##USERDISPLAYFORMAT##' when the resulting form was saved. The issue occurred for all types of forms (fields of page types, custom tables, online forms, etc.).

    11.0.7
  • API - Licensing error when calling the contact API in special cases

    A licensing error occurred in certain cases when using the API to get the current contact on a site with a lower license edition than EMS.

    11.0.7
  • Pages - 404 error for multiple pages with similar wildcard URLs

    If multiple pages had URLs with wildcards and the URLs had at least one wildcard in common (for example '/Articles/{topic}' and '/Articles/{topic}/{date}'), the system returned a 404 Page Not Found error when the page with the more specific URL was requested.

    11.0.7
  • General export - Email marketing recipients not exported correctly

    When using the Advanced export feature for recipients in the Email marketing application, the values of certain columns (e.g. 'Newsletter subscription', 'Receiving marketing email') were not exported correctly if the number of records was very large (more than 1000).

    11.0.6
  • General - Runtime error after installing the 'Kentico.Libraries.Web.UI' package

    A runtime error occurred after installing the 'Kentico.Libraries.Web.UI' NuGet package into an external project. To resolve the issue, apply the hotfix to the related Kentico project and database, and then update the package in your external project to the corresponding version (11.0.6 or newer).

    11.0.6
  • Form engine - Page type field description not displayed correctly in special cases

    If the 'Field description' text of a page type field contained a macro that accessed the property or value of a different field, the description was not displayed correctly (in the field's tooltip) after a page was saved on the Form tab in the Pages application.

    11.0.6
  • Event management - 'Event calendar' web part error when running under heavy load

    An error could occur on pages containing the 'Event calendar' web part when running under heavy load.

    11.0.6
  • Email marketing - Error when viewing A/B tested marketing emails on upgraded instances

    On upgraded Kentico instances, an error occurred when editing an email feed with A/B tested emails that were created before the upgrade, i.e., on previous Kentico versions.

    11.0.6
  • Email marketing - A/B variants of marketing emails were duplicated after import

    When importing a package containing marketing emails with A/B testing applied, the variants of the email were duplicated.

    11.0.6
  • Contact management - Error when viewing the activity list of a contact

    An error occurred when viewing the 'Activities' tab of a specific contact in the Contact management application. The problem occurred only after applying hotfix 11.0.3 or newer.

    11.0.6
  • Code generation - Generating code for all page types not working correctly

    Code files generated for all page types on a site were created in a different location than the one specified. This could prevent the user from finding and working with the given code files.

    11.0.6
  • Pages - Page aliases not generated correctly when moving a large set of pages

    Moving a set of over 500 pages with the 'Remember original URLs when moving pages' setting enabled did not create the appropriate page aliases for some of the pages.

    11.0.5
  • On-line Marketing - Paging of contacts not working in the 'Contact demographics' report

    Paging of contacts did not work in the 'Contact demographics' report accessible from the 'Campaigns' and 'Email marketing' applications.

    11.0.5
  • KIM - Incorrect version order when checking for updates

    When checking for available hotfixes and upgrades in the Kentico Installation Manager utility using the 'Check' function, the tree containing available updates displayed major versions in an incorrect order. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    11.0.5
  • Import toolkit - Error when importing certain object types

    When attempting to import certain object types (for example pages) using the Kentico Import Toolkit utility, an error occurred in the source data preview step ("Cannot load default column mappings. Class not found.").

    11.0.5
  • Form controls - reCAPTCHA not working in environments with an HTTPS proxy

    The 'reCAPTCHA' form control did not work in environments using an HTTPS proxy (SSL offloading). The control incorrectly generated HTTP URLs instead of using HTTPS.

    11.0.5
  • Email marketing - Tracking of clicked links not working in page-based newsletters

    Tracking of clicked links did not work in page-based newsletters due to incorrect generating of tracking URLs. This issue only occurs on instances upgraded from Kentico 10 with hotfix 11.0.3 or later applied.

    11.0.5
  • Cultures - 'Related pages' web part not working correctly on multilingual sites

    On sites with multiple content cultures, the 'Related pages' web part displayed the default culture version for untranslated related pages, even if the 'Combine with default culture' setting was disabled.

    11.0.5
  • Cultures - Page aliases with the Culture set to '(all)' not working correctly

    On sites that had the 'Combine with default culture' setting disabled, page aliases with the Culture set to '(all)' did not work for pages that were not translated in the site's default culture.

    11.0.5
  • Amazon S3 - File access errors when using Amazon S3 in rare cases

    When using Amazon S3 for file storage, file access errors could occur on the live site in rare cases. The Amazon S3 storage provider incorrectly opened files in a way that prevented concurrent access.

    11.0.5
  • KIM - Error when using the 'Check' function

    When checking for available hotfixes and upgrades in the Kentico Installation Manager utility using the 'Check' function, an error occurred if the registered instances included at least two different major versions. To fix the issue, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).

    11.0.4
  • Form controls - Misspelled attributes in the 'HTML5 input' form control

    The 'HTML5 input' form control generated misspelled 'minlength' and 'maxlength' attributes, which resulted in invalid output. The misspellings were also present in the form control's configuration interface.

    11.0.4
  • Widgets - Inline widget configuration dialog not working in content only page fields

    Editing of properties did not work for inline widgets placed into a rich text field of a content only page (the opened configuration dialog was blank).

    11.0.3
  • REST - Adjusting the string length limit for JSON data

    The REST service limits the length of request data in JSON format to 2097152 characters (4 MB of Unicode string data) by default, which is not sufficient in certain cases (for example when creating objects with large attachments). After applying the hotfix, the character limit can be adjusted using the 'CMSRestMaxJsonLength' web.config key.

    11.0.3
  • Pages - Access denied message shown when viewing preview links

    Viewing a preview link in a private window or a browser where the preferred culture (cookie) was not set resulted in the access denied page being displayed, even if the page was publicly accessible. The problem only occurred when opening the preview link for the first time.

    11.0.3
  • General export - Error when exporting activity data with non-default columns

    When using the Advanced export feature for the activity log in the Contact management application, an error occurred if the 'Export raw database data' option was enabled and columns that are not included in the activity list by default were selected.

    11.0.3
  • Email marketing - Page-based newsletters could not be sent on upgraded instances

    It was not possible to configure and send existing page-based (dynamic) newsletters on upgraded instances due to incorrect backward compatibility.

    11.0.3
  • E-commerce - Unpublished values displayed on the live site for products under workflow

    When editing product pages under workflow, the changes were displayed on the live site before they were published in certain cases (for example product names or prices displayed in shopping cart content). Applying the hotfix also disables inline editing of prices in product lists for products under workflow (inline editing is not compatible with product workflow).

    11.0.3
  • E-commerce - PayPal payments failed for orders containing a Buy X Get Y free product

    Payments using the default PayPal provider failed if the purchased items contained a free product obtained by fulfilling the conditions of a Buy X Get Y discount.

    11.0.3
  • API - Unnecessary 'ShoppingCartItemParameters.Price' property

    The E-commerce API contained the 'ShoppingCartItemParameters.Price' property, which was no longer necessary and incorrectly used the 'double' type. After applying the hotifx, the property is marked as obsolete.

    11.0.3
  • Modules - File data type for custom module class fields

    When creating or editing fields of custom module classes, the system incorrectly offered the 'File' data type. This data type is not intended for use with module class fields.

    11.0.2
  • Hotfix - Hotfixing error for projects using .NET 4.7.1

    When attempting to hotfix a project that was set to use .NET 4.7.1, an error occurred in the hotfix utility, stating that the .NET Framework version could not be determined. Hotfixes 11.0.2 and newer support all build versions of .NET 4.6 and 4.7.

    11.0.2
  • E-commerce - PayPal payments failed for customers who specified a phone number

    Payments using the default PayPal provider failed for customers who specified their phone number during checkout.

    11.0.2
  • Dialogs - Selection of '(more items...)' in selection dialog filters

    If a selection dialog contained a filter with another object selector that offered a sufficiently large number of items, the '(more items..)' option did not work.

    11.0.2
  • Form controls - Recorded data of on-line forms not displaying consent records correctly

    When a user submitted an on-line form which contained a field with the 'Consent agreement' form control, the system displayed recorded data for the form in the 'Forms' application as if the user gave an agreement with the specified consent, even when the user revoked the consent agreement.

    11.0.1
  • E-commerce - Shopping cart content lost in certain cases

    The content of a visitor's shopping cart was lost if the 404 error page was loaded or a resource on the current page returned a 404 not found error, and the error page itself or its master page accessed the 'EcommerceContext.CurrentShoppingCart' object.

    11.0.1
  • Continuous integration - Error when restoring custom table data in special cases

    An error occurred when restoring continuous integration files if the data of a custom table was added to the '<IncludedObjectTypes>' whitelist in the repository.config file (using an object type with the 'customtableitem.' prefix) and the corresponding custom table definition (cms.customtable object) was not yet created in the target database. The problem typically occurred when attempting to restore a new custom table definition together with its data.

    11.0.1
  • Security bugsFixed in version
  • Unauthenticated Remote Code Execution through .NET object deserialization in staging service  Critical

    Description

    Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted.

    Workaround for all Kentico versions
    The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
     1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
     2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
     3. 'Save' the changes

    Details

    Issue type:
    Remote Code Execution
    Security risk:
    Critical
    Found in version:
    9.0 - 11.0.47
    Fixed in version:
    11.0.48
    Fixed date:
    4/4/2019
    Reported by:
    Aon's Cyber Solutions

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    11.0.48

Hotfixes for 10.x

Fixed Bugs   Security Bugs
  • Bug DescriptionFixed in version
  • Security - Security improvements

    <p>Added security improvements to the application.</p>

    10.0.51
  • E-commerce - Shopping cart content lost in certain cases

    The content of a visitor's shopping cart was lost if the 404 error page was loaded or a resource on the current page returned a 404 not found error, and the error page itself or its master page accessed the 'EcommerceContext.CurrentShoppingCart' object.

    10.0.49
  • Continuous integration - Error when restoring custom table data in special cases

    An error occurred when restoring continuous integration files if the data of a custom table was added to the '<IncludedObjectTypes>' whitelist in the repository.config file (using an object type with the 'customtableitem.' prefix) and the corresponding custom table definition (cms.customtable object) was not yet created in the target database. The problem typically occurred when attempting to restore a new custom table definition together with its data.

    10.0.49
  • E-commerce - Product fields not saved correctly for new culture versions in certain cases

    When saving a new culture version of a product page that was created based on the content of another culture version, with the 'Save the new page before editing' option disabled, the values of any modified product fields were overwritten by the original values of the source culture version.

    10.0.48
  • Output filter - Relative URLs not resolved correctly in special cases

    The output filter for resolving relative URLs did not work in special cases for websites running under heavy load.

    10.0.47
  • Contact management - Custom contact fields not displayed correctly in the editing form

    Custom fields added to the Contact class under a custom category were not displayed correctly in the contact editing form. In general, the problem was caused by incorrect transferring of fields to alternative forms in cases where the original form and the alternative form contained a different category structure.

    10.0.47
  • Contact management - Updated user values not saved to contacts on upgraded instances

    On instances that were upgraded from Kentico 9, the User class had its 'Overwrite existing contact information' option disabled by default. As a result, updates of user values were not transferred correctly to the corresponding contact. Applying the hotfix enables the option (if the On-line marketing settings are not customized for the User class in the Modules application).

    10.0.47
  • Widgets - Inline widget properties with certain form controls not saving all values

    Only the first property value configured for inline widgets was saved correctly for properties using certain form controls that store values into multiple fields (for example the 'Report graph selector' form control).

    10.0.46
  • Users - Error on pages containing the On-line users web part

    An error occurred on pages containing the 'On-line users' web part in special cases when the 'Store on-line users in database' setting was disabled.

    10.0.46
  • Search - Search preview images not displayed when storing absolute URLs

    If the image field configured in the search settings of a page type or object stored absolute image URLs (for example images served from a CDN), the images were not displayed in the search results.

    10.0.46
  • Pages - Error when viewing all page aliases as an editor

    An error occurred when a user with the Editor privilege level clicked the 'View all aliases' button while creating or editing a page alias (on the URLs tab of the Pages application).

    10.0.46
  • Form controls - 'Country selector' form control incorrectly listing states from all countries

    If the 'Country selector' form control was configured to return the ID of the selected state for an integer type field, the state selector in the resulting form did not filter the displayed states based on the selected country in certain cases (states from all countries were loaded).

    10.0.46
  • Email marketing - Error when exporting raw database data of email feed recipients

    An error occurred when recipients of a particular newsletter email feed were exported using the 'Advanced export' action with the 'Export raw database data' option and 'Email' column selected.

    10.0.46
  • Portal engine - Page template cloning always included the template's scopes

    When cloning a page template, the template's scopes were cloned even if the 'Clone page template scopes' option was disabled in the cloning dialog.

    10.0.45
  • On-line forms - Cloning error for forms with a field name containing an SQL keyword

    An error occurred when cloning a form that contained a field with a reserved SQL keyword in its name (for example "function").

    10.0.45
  • E-commerce - Product values not saved correctly for versioned pages in special cases

    For product pages using workflow or versioning on a site with multiple content cultures, the values of the 'Product name', 'Short description' and 'Description' fields were not saved correctly when editing a product page in a non-default culture.

    10.0.45
  • Continuous integration - Inconsistent serialized data for bindings

    The serialized data created by the continuous integration solution for certain types of bindings (M:N relationships between objects) had an inconsistent order. The different data order caused unnecessary changes in the CI repository files (even when the binding data remained the same). To fix the problem, you need to apply the hotfix and then serialize all objects again in the Continuous integration application. The update may cause a large number of changes in existing CI data for bindings.

    10.0.45
  • Contact management - Case-sensitive email comparison when importing contacts from CSV

    When importing contacts from a CSV file, the comparison of email address values was case-sensitive. This could cause the import to incorrectly create duplicate contacts instead of updating existing contacts with a matching email address.

    10.0.45
  • Media library - Media file paths corrupted after renaming folders in special cases

    If a folder in a media library had a name that matched the name prefix of other folders in the same location, renaming the folder corrupted the file paths of media files contained in the other folders.

    10.0.45
  • Widgets - Certain properties not saved correctly for inline widgets

    The values of properties configured for inline widgets were not saved correctly for properties using a form control that stores values into multiple fields (for example the 'Attachment field selector' form control).

    10.0.44
  • Macros - Invalid macros in page version data after re-signing

    When using workflow or versioning for pages, macro expressions that were stored within the data of a page version and contained certain characters (for example '&' ampersands) became invalid after re-signing macros in System -> Macros -> Signatures. As a result, such macros could not be resolved when displaying content from a page version (for example in preview mode) or after rolling back to an older page version.

    10.0.44
  • Widgets - Media selection dialog not displaying the Attachments tab in special cases

    When a widget with a property using the 'Media selection' form control was inserted into a page field on the Form tab in the Pages application, the media selection dialog opened when setting the property's value did not display the Attachments tab.

    10.0.43
  • Widgets - Erasing of default values not working correctly for widget text properties

    If an empty value was saved into a widget property with a text data type, the property's default value was always loaded instead when the widget's configuration dialog was re-opened.

    10.0.43
  • Web analytics - File locking errors when processing analytics on a shared file system

    When using multiple Kentico applications with a shared file system and enabled web analytics, file lock errors could occur when processing the analytics log files. If you have such an environment, you also need to manually ensure that the file system is configured as shared after applying the hotfix (see the Hotfix instructions for more information).

    10.0.43
  • URL rewriting & SEO - Trailing slash in Google sitemap URLs

    If a site was configured to always use URLs without a trailing slash together with certain other combinations of settings from the 'URLs and SEO' category, the Google sitemap generated by the system still contained URLs with a trailing slash. This caused unnecessary URL redirections.

    10.0.43
  • Data engine - New SqlEvents.BulkInsert global event

    The system did not trigger any global events when creating objects by directly inserting data into a database table (for example when a user imported contacts from a CSV file). After applying the hotfix, developers can perform custom actions before or after such actions by assigning a handler to the new 'SqlEvents.BulkInsert' event.

    10.0.43
  • Reporting - 'Data from last' parameter not applied correctly for report subscriptions

    The 'Data from last' parameter set when creating report subscriptions was not applied correctly if the current site's default culture used a different date and time format than the English (en-US) culture. The time range of the report data sent to the subscriber was not limited according to the set value.

    10.0.42
  • Pages - Widget content not displayed when viewing page version details

    When viewing the details of a page version on the 'Versions' tab in the Pages application, information about editor widgets placed on the given page was not displayed (in the 'DocumentWebParts' field). The problem occurred only after applying hotfix 10.0.41.

    10.0.42
  • On-line Marketing - Submitting forms creates contacts despite disabled on-line marketing

    Contacts were created or updated when submitting on-line forms, even though the 'Enable on-line marketing' setting was disabled.

    10.0.42
  • Amazon S3 - Configurable Amazon S3 REST API endpoint

    The system always used a preset HTTP endpoint for the REST API request that determined the region of Amazon S3 buckets. This could cause problems in environments where non-HTTPS requests are restricted. After applying the hotfix, the Amazon S3 REST API endpoint can be configured to use HTTPS via the following web.config key: <add key="CMSAmazonRestApiEndPoint" value="https://s3.amazonaws.com" />

    10.0.42
  • Staging - Manual synchronizing of scheduled tasks not working

    Manual synchronizing of scheduled task objects using the 'Synchronize current subtree' action did not work (on the Objects tab of the Staging application).

    10.0.41
  • Search - Empty search result URLs returned for custom smart search indexes

    The 'SearchResultUrl' and 'GetSearchImageUrl' transformation methods returned empty values when used to display results for smart search indexes of the 'Custom index' type. The problem occurred only after applying hotfix 10.0.37 or newer.

    10.0.41
  • Pages - 'DocumentWebParts' widget content switched when comparing page versions

    When comparing two versions of a page, the information about editor widgets placed on the page (the 'DocumentWebParts' field) was switched between the two versions, i.e., the newer version listed the widget content of the former version and vice versa.

    10.0.41
  • General - Application start error under heavy load in special cases

    If the application started under heavy load and the 'runAllManagedModulesForAllRequests' modules attribute was enabled in the web.config, initialization was not performed correctly in special cases, which could cause errors with the following message: "You cannot change the default type of the generated objects after some objects were created by the generator."

    10.0.41
  • E-commerce - Error on shopping cart pages after an application restart in special cases

    If a customer's shopping cart contained a product that was added automatically as a result of a Buy X Get Y discount, and an application restart occurred on the server, the customer then received an error (stack overflow exception) when viewing any shopping cart-related pages. The problem occurred only after applying hotfix 10.0.24 or newer.

    10.0.41
  • Form controls - 'Country selector' form control error when returing state ID values

    If the 'Country selector' form control was configured to return only the ID of the selected state for an integer type field, an error occurred in the resulting form when attempting to load and display the selected values for the field.

    10.0.40
  • Dialogs - Selection dialogs not setting values for global objects

    Selection dialogs for objects that can be either site-specific or global did not set their values when global objects were selected (for example the 'In roles' and 'Not in roles' selectors in the advanced search filter of the Users application). The problem occurred only after applying hotfix 10.0.35.

    10.0.40
  • Transformations - Certain field names not resolving in Text/XML transformations

    When using Text / XML transformations, it was not possible to access the values of data fields whose name contained characters conflicting with the Kentico macro syntax (for example hyphens in element names when using an XML data source). After applying the hotfix, such fields can be accessed in transformations using the 'DataItem' macro object and indexing, for example: {% DataItem["field-name"] %}

    10.0.39
  • Staging - Missing user and task group data for certain types of staging tasks

    When an object was restored from the recycle bin, or modified by rolling back to an older version or undoing checkout, the resulting staging task did not contain information about the user who performed the change and was not categorized under the staging task group that was active when the change occurred.

    10.0.39
  • Media library - Media library dialog error in special cases

    When using an external file storage provider for media libraries (for example Azure Storage), an error occurred while displaying media library content in the 'Insert image or media' dialog if the 'Content -> Media -> Use permanent URLs' setting was disabled and the selected library contained more folders than allowed by the 'Max subfolders' setting.

    10.0.39
  • General - Dependencies not copied correctly for the Kentico.Libraries.Web.UI package

    When using the 'Kentico.Libraries.Web.UI' NuGet package in an external project, required third-party libraries were not copied to the correct output folder when building the project.

    10.0.39
  • Form controls - Error on the Preview tab for the 'Page template selector' form control

    An error occurred when viewing the 'Page template selector' form control on the 'Preview' tab in the Form controls application.

    10.0.39
  • Staging - Incorrect staging of empty page fields under versioning without workflow

    When staging pages (with enabled versioning without workflow) in an environment where the page IDs were not identical on the source and target server, non-required page fields that had an empty value were not synchronized correctly.

    10.0.38
  • Search - Custom smart search indexes not working

    Searching using smart search indexes of the 'Custom index' type did not work. The problem occurred only after applying hotfix 10.0.37.

    10.0.38
  • Data engine - Queries with single-line comments corrupted in special cases

    When resolving the ##WHERE## expression within the code of queries, the system removed adjacent newline characters in special cases, which could result in an incorrect query (for example if the SQL code also contained a single-line comment).

    10.0.38
  • Search - Inconsistent search behavior when using the '_index' or '_type' fields

    The values of the '_index' and '_type' system fields within smart search indexes were not converted to lower case, which could lead to incorrect search behavior when using these fields in search queries and filters. To ensure that searches filtered according to these fields work correctly, you need to rebuild your search indexes after applying the hotfix.

    10.0.37
  • Files - Error when uploading files into page fields in certain cases

    When creating new pages in the Pages application, an error occurred when uploading a non-image file (pdf, docx, etc.) into a field of the 'File' data type, if the system was configured to store files in the file system and had the integration bus enabled.

    10.0.37
  • Users - Incorrect number of anonymous on-line users

    When monitoring of on-line users was enabled, the system did not correctly clear expired sessions for anonymous users (guests). As a result, the number of displayed on-line users included guests who were no longer present on the website.

    10.0.36
  • Cookie consent - Cookie law consent web parts not invalidating existing cookies

    When a visitor reduced their allowed cookie level by clicking the 'Deny all' or 'Allow specific' button provided by the 'Cookie law consent' or 'Simple cookie law consent' web part, already existing cookies that no longer belonged to an allowed level were not invalidated in the visitor's browser.

    10.0.36
  • Controls - Selection of multiple items in UniSelector dialogs not working correctly

    Selection of multiple items in UniSelector dialogs was processed inefficiently, which could cause the selection to fail in certain cases.

    10.0.35
  • User interface - Administration interface icons displayed incorrectly in certain browsers

    Icons in the administration interface displayed incorrectly in the Google Chrome and Opera web browsers when using built-in developer tools of the browsers.

    10.0.34
  • Microsoft Azure - Incorrect initialization of Azure Blob storage

    After application start, Azure Blob storage containers were not initialized correctly under certain circumstances, leading to an error on initial requests.

    10.0.34
  • Licensing - Mass email feature not working properly with Base and Free licenses

    Mass email feature in the 'Users' application did not work properly on sites with Kentico CMS Base or Free license.

    10.0.34
  • E-commerce - Memberships not displaying associated product options

    When editing memberships in the 'Membership' application, the 'Products' tab did not display product options (of the 'Products' type) that were associated with the given membership.

    10.0.34
  • Content Personalization - Parent page content personalization not working on child pages

    Content personalization on a page containing the 'Page placeholder' web part did not work on child pages of the given page. Default variants of the personalized content were displayed instead of the personalized variants.

    10.0.34
  • Modules - Invalid module NuGet package names for Visual Studio 2017

    When creating installation packages for custom modules, the system generated NuGet package files with a name containing an underscore. Such packages could not be installed using Visual Studio 2017. After applying the hotfix, module package files are generated with names in format '<modulename>.<version>.nupkg'.

    10.0.33
  • Macros - Incorrect page size in the macro report

    When viewing the macro report in System -> Macros -> Report, each page in the list of macro expressions displayed one more item than allowed by the selected page size number.

    10.0.33
  • Microsoft Azure - Insufficient error messages for invalid Azure Storage configuration

    When using Microsoft Azure Storage for the project file system or individual folders, the system logged insufficiently detailed error messages in cases where the storage account values were misconfigured.

    10.0.32
  • Users - Incorrect privilege level for users created via the CMSAdminEmergencyReset key

    New user accounts created via the 'CMSAdminEmergencyReset' web.config key did not have the Global administrator privilege level (when using the key to recover administrator access).

    10.0.31
  • Social Marketing - Authorization always failed for Facebook pages

    When setting up pages in the Facebook application, the 'Authorize' action always failed (due to changes in the Facebook API used for access token retrieval).

    10.0.31
  • On-line Marketing - Separating or rejoining the on-line marketing database on SQL Azure

    When using a database hosted on Microsoft Azure SQL, an error occurred when separating or rejoining the on-line marketing database (instead of displaying information about the additional manual steps required for Azure databases).

    10.0.31
  • Localization - Localization strings resolving incorrectly for page titles

    If localization expressions were added into the page title of a page (on the Properties -> Metadata tab in the Pages application), the system always resolved the value into the site's default culture.

    10.0.31
  • Import/Export - Existing on-line forms not overwritten correctly by imported forms

    When using the import feature to update an existing form, certain parts of the form's configuration were not overwritten correctly (for example the form field definition and alternative forms).

    10.0.31
  • Settings - Error when viewing custom setting categories with many groups and keys

    If a custom setting category under a custom module contained at least 11 setting groups and 11 or more setting keys in the first group, an error occurred when viewing the category in the Settings application.

    10.0.30
  • Modules - Misleading error message shown after installing module packages

    Error messages related to the installation of NuGet module packages were misleading in certain cases. The error message was improved for cases where the module metadata contained multiple versions of the same module (this could occur for projects created using append-only deployment).

    10.0.30
  • Localization - Text content of widgets not localized correctly in on-site editing mode

    When viewing pages in on-site editing mode, localized text displayed by widgets was always in the site's default culture.

    10.0.30
  • Hotfix - Hotfix utility not running on systems with only .NET 4.7

    An error occurred when running the Hotfix utility on a system where only version 4.7 of the .NET Framework was installed (without any older versions).

    10.0.30
  • Pages - Staging task logged incorrectly when changing page security settings

    When modifying or removing the security settings of a page (ACLs) for a user or role with content staging enabled, the system logged the staging task for the change incorrectly (or not at all), and an error was displayed in the event log.

    10.0.29
  • Import/Export - Error when importing module class queries

    When importing classes with query objects, either as part of a custom module or a customizable class (system table), the query import did not work correctly and an import error occurred if one of the class queries already existed on the given instance.

    10.0.29
  • SharePoint - SharePoint data source incorrectly handling multiselect fields

    The SharePoint data source web part did not correctly handle multiselect fields (fields whose values are sent as arrays of strings). The hotfix ensures that the data source processes such fields into strings consisting of the array's items separated by newline characters (environment specific). You need to manually parse the string within the transformations applied to the data source's output, for example: 'Eval<string>("MultiselectField").Split(new[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries)'

    10.0.28
  • Pages - Incorrect validation when adding new wildcard page aliases

    When adding a new page alias containing a wildcard, the uniqueness validation incorrectly failed if the alias's URL path was a less specific version of an already existing URL path with wildcards.

    10.0.28
  • General - Application start errors in special cases

    If the first request during the application start targeted a GetResource.ashx resource handler, initialization was not performed correctly, which could cause the application to become unresponsive in special cases (error message: "You cannot change the default type of the generated objects after some objects were created by the generator.").

    10.0.28
  • E-commerce - Payment method selection web part not refreshing other page content

    When using the 'Payment method selection' web part on checkout pages, changing the payment option did not correctly trigger a refresh of other related content on the page. For example, order discounts applied based on a payment method condition were not immediately displayed by 'Shopping cart totals' web parts when the payment method selection changed.

    10.0.28
  • Continuous integration - Poor serialization performance when updating dependent objects

    When editing an object with a very large amount of dependent objects, the continuous integration serialization process could take a long time. Applying the hotfix optimizes the evaluation of object dependencies, which results in improved performance.

    10.0.28
  • Web parts - Bing Maps web parts not working due to an API update

    Due to an update of the Bing Maps API, the original Bing Maps web parts no longer work after June 30, 2017. Applying the hotfix updates the web parts to use the new Bing Maps V8 API. You may also need to update the transformation used to display location marker (pushpin) infoboxes, and perform additional manual steps if using custom pushpin icons.

    10.0.27
  • Web parts - Server-side translation of addresses to coordinates not working for Bing Maps

    If the 'Use server processing' property was enabled for Bing Maps web parts, addresses specified through location fields were not resolved into coordinates and corresponding location markers were not displayed on the map.

    10.0.27
  • Media library - Incorrect validation of reserved file system names for folders

    The validation of folder names in media libraries was not sufficient for certain types of names containing reserved file system keywords ('aux', 'com1', etc.). Such folders did not work correctly and could lead to errors.

    10.0.27
  • Macros - Error when resolving methods that modify order or page attachment collections

    An error occurred (MissingMethodException) when resolving macro methods that modify collections, such as 'OrderBy' or 'Where', if the collection contained Order or Page attachment objects (OrdersCollection, DocumentAttachmentCollection). For example, the error occurred for macro expressions such as: {% ECommerceContext.CurrentCustomer.Orders.OrderBy("OrderDate DESC") %}

    10.0.27
  • Import toolkit - GUID not preserved when importing attachments using the Import toolkit

    When importing page attachments using the Import toolkit, the attachments were always created with a new GUID value, even if a source with existing GUIDs was used for the AttachmentGUID column.

    10.0.27
  • Import toolkit - Incorrent import result data displayed for certain object types

    When importing data for certain types of objects (e.g. attachments) in the Import toolkit, the final steps showing the import log and number of imported objects contained misleading data in some cases.

    10.0.27
  • Email marketing - Error when no limit set for bounced emails

    When the value of the 'Bounced email limit' setting was set to 0 (which means there was no limit for bounced emails), an error occurred on the 'Recipients' tab of newsletters in the Email marketing application.

    10.0.27
  • Continuous integration - Performance issues when using continuous integration

    When using continuous integration, the system did not correctly evaluate whether an update of a field definition required re-serialization of the dependent objects (for classes, page types, etc.). This resulted in unnecessary serialization that could take a very long time if the instance contained large numbers of objects of the given type. Additionally, the hotfix improves the performance of the file system repository optimization that occurs after each serialization or restore process.

    10.0.27
  • Code generation - Application timeout when generating code for certain field names

    When generating classes for page types, custom tables or forms on the 'Code' tab of the appropriate editing interface, the application timed out in special cases. The problem occurred if the given object contained a field whose name started with the object's code name, followed by a number (for example, a page type with the code name 'Custom.Article' and a field named 'Article3D').

    10.0.27
  • Widgets - Small size of 'Display to roles' and 'Show for page types' system properties

    The 'Display to roles' and 'Show for page types' system properties of widgets had a smaller 'Size' (number of allowed characters) than the corresponding properties of web parts. The size was increased to 1000.

    10.0.26
  • URL rewriting & SEO - Domain alias redirection not working for URLs with the WWW prefix

    Domain alias redirection did not work if the target URL had the same domain as the alias, only with an additional WWW prefix.

    10.0.26
  • Users - Subscription management in user-related applications

    Management of forum and newsletter subscriptions in the 'My profile' and 'Users' applications did not work correctly.

    10.0.26
  • On-line Marketing - Errors when using a separated on-line marketing database

    When using a separated on-line marketing database, errors related to missing User-Defined Table Types could occur in the administration interface of on-line marketing applications (for example when viewing the 'Recipients' tab of a newsletter) or when calling the on-line marketing API in custom code.

    10.0.25
  • Macros - User name in macro signatures not preserved when re-signing open macros

    When re-signing macros in System -> Macros -> Signatures with an 'Old salt' value specified, macro expressions containing open conditions or loops did not preserve the user name in the macro signature. The original name was incorrectly replaced by the name of the user performing the re-signing process.

    10.0.25
  • General - Compilation error after hotfixing an upgraded project

    If a project was upgraded from Kentico version 9 or older without installing the 'Microsoft.CodeDom.Providers.DotNetCompilerPlatform' NuGet package, a compilation error occurred after applying hotfix 10.0.23 or 10.0.24.

    10.0.25
  • General - BadImageFormatException during application start

    A 'BadImageFormatException' error occurred during the application start if an assembly containing native code was present in the CMS web project's 'bin' folder (for example after installing certain types of NuGet packages).

    10.0.25
  • Form engine - Form builder not setting default property values for inherited form controls

    When adding an inherited form control to a form using the Form builder interface, default values of the form control's properties were not saved correctly. This could lead to inconsistencies when later editing the matching field on the form's Fields tab. Additionally, the default timestamp fields of forms (FormInserted, FormUpdated) and custom tables (ItemCreatedWhen, ItemModifiedWhen) had an incorrectly set 'Precision' value.

    10.0.25
  • Web parts - Web part layout editing dialogs not working under certain conditions

    The web part configuration dialog did not work correctly when creating new web part layouts on the Layout tab. Additionally, the web part layout editing interface behaved incorrectly after making changes in the Preview mode (both in the web part configuration dialog and the Web parts application).

    10.0.24
  • Form controls - Incorrect validation for 'Rich text editor' fields with a required value

    Validation did not work correctly for form fields that used the 'Rich text editor' form control and were set as 'Required'. Values could not be saved more than once if the content only consisted of void HTML tags (for example an iframe or image tag without any other content).

    10.0.24
  • E-commerce - Shopping cart state lost in special cases

    Performing certain types of shopping cart content changes could cause the cart to lose data that was not yet saved to the database (for example a discount applied via a coupon code was removed after updating the unit count of a product in special cases).

    10.0.24
  • E-commerce - ShippingAddress macro not evaluated correctly

    In certain cases, 'ShippingAddress' macro expressions returned an empty value for shopping carts or orders that used the billing address for shipping. After applying the hotfix, the macro always returns the billing address for order and shopping carts that do not have a different shipping address specified.

    10.0.24
  • Validators - Error when performing HTML validation of HTML5 pages

    Attempting to perform HTML validation of HTML5 pages resulted in an error.

    10.0.23
  • UniGrid - 'hideifnotauthorized' attribute of UniGrid action elements not working

    When configuring the XML definition of UniGrid components, the 'hideifnotauthorized' attribute of 'action' elements did not work.

    10.0.23
  • Staging - Error when staging published pages containing attachments

    In certain cases, staging of published pages containing attachments resulted in an error.

    10.0.23
  • Search - Automatic processing of search tasks not working in certain cases

    Automatic processing of search indexing tasks was not triggered correctly in certain cases (for example when indexing changes of object code names). This could cause search tasks to remain unprocessed in the queue until another task was logged.

    10.0.23
  • Reporting - Incorrect time interval filtering in the Conversion detail report

    The Conversion detail report did not filter data correctly according to the specified 'From' and 'To' dates.

    10.0.23
  • Marketing automation - Current site context not available in automation step macros

    When using macro expressions within marketing automation action steps placed after a 'Wait' step in the process, the 'CurrentSite' value is not available in the macro context. The hotfix adds a new 'ActivitySiteID' macro property, which you can use for automation processes with a 'Contact performed an activity' trigger (for example Abandoned shopping cart processes). The macro resolves into the identifier of the site where the trigger activity occurred.

    10.0.23
  • Form engine - CSS class of 'FormControl' tags in custom ASCX form layouts not rendered

    When setting the 'CssClass' attribute for 'FormControl' tags within custom form layouts of the 'ASCX' type, the specified CSS class was not rendered in the form's output.

    10.0.23
  • Dialogs - Incorrect behavior after selecting all objects on a page in Select dialogs

    When working in 'Select' dialogs (for example after clicking 'Add roles' while editing a user on the Roles tab in the Users application), selecting all objects listed on a page via the header checkbox incorrectly cleared the selection of objects on other pages.

    10.0.23
  • Form engine - Error CSS class not rendered for fields in forms with a custom ASCX layout

    If a validation error occurred for a field in a form using a custom layout of the 'ASCX' type, the system did not add the 'Error' CSS class to the <div> tag containing the invalid field's input element.

    10.0.22
  • Users - Incorrect password reset links when using site prefixes for user names

    When running multiple sites with the 'Use site prefixes for user names' setting enabled and the 'Require unique user emails' setting disabled, the forgotten password functionality generated password reset links for the wrong user in certain cases.

    10.0.21
  • Pages - 'Limit of related pages' setting of the 'Pages' form control applied incorrectly

    The 'Limit of related pages' setting of fields using the 'Pages' form control incorrectly limited the total number of related pages across all pages of the given page type, instead of only limiting the related pages for individual pages.

    10.0.21
  • Marketing automation - Tracking of links in marketing emails not working in certain cases

    In certain cases, the system did not track conversions from links in marketing emails sent via the 'Send marketing email' Marketing automation step.

    10.0.21
  • Continuous integration - Binding classes with a compound primary key restored incorrectly

    When restoring a custom binding class with a compound primary key from the continuous integration repository, the class's database table was not created correctly and had missing columns.

    10.0.21
  • Security - Improved logging of CSRF errors

    Errors that occurred as a result of the system's CSRF protection feature were difficult to identify in certain cases. After applying the hotfix, the related error messages provide more accurate information.

    10.0.20
  • Continuous integration - Error when adding page type fields with continuous integration

    An SQL error occurred when adding a field to a page type if continuous integration was enabled and the system contained a very large number of pages of the given type (over 2000).

    10.0.20
  • Localization - Saving not working in the Localize string dialog in certain cases

    When adding resource strings into localizable fields (for fields using the 'Localizable text box' or 'Localizable text area' form control), the Save & Close action in the Localize string dialog did not work if the selected string contained multiple lines of text in the current culture.

    10.0.19
  • Email marketing - Recipients unable to subscribe to a 'Newsletter' in certain cases

    If a recipient did not confirm a 'Newsletter' subscription with double opt-in within the set 'Double opt-in interval' ('Setting -> On-line marketing -> Email marketing'), they became unable to subscribe to that newsletter in the future.

    10.0.19
  • E-commerce - Attachment files not deleted correctly for copied E-products

    If an E-product (a product with the 'Representing' property set to 'E-product') was created as a copy of another product, deleting of attachment files from the 'Files' field did not work correctly and the files remained in the database (COM_SKUFile table).

    10.0.19
  • Files - File upload denied in some cases when using Windows authentication

    When uploading files via the 'MultiFileUploader' control (for example into File fields using the 'Direct uploader' form control), the file upload was denied in some cases and the system displayed an "unauthorized user" warning. The problem could occur on instances using Windows authentication while also having anonymous authentication enabled.

    10.0.18
  • Email marketing - Incorrect recipient status displayed on the 'Recipients' tab of a 'Newsletter'

    The 'Receiving marketing emails' column on the 'Recipients' tab of a 'Newsletter' incorrectly displayed the 'Opted out' status for users unsubscribed only from that single newsletter. After applying the hotfix, the 'Recipients' tab of a 'Newsletter' only displays the 'Opted out' status for users unsubscribed from all 'Newsletters'.

    10.0.18
  • Email marketing - 'Subscriber.Contact' macros not resolving in marketing emails in certain cases

    Macros in format 'Subscriber.Contact.<contact_property>' were not resolved correctly within the content of marketing emails for recipients who were added to a 'Newsletter' or 'Email campaign' as part of a contact group.

    10.0.18
  • Web parts - Error when using the Pages data source with a Universal pager in certain cases

    When a combination of the Pages data source (configured to retrieve multiple page types), Basic repeater, and Universal pager web parts was used with the 'Select top N pages' property, the resulting SQL query was generated incorrectly and caused an error.

    10.0.17
  • Staging - Processed staging tasks persisting in the database in staging environments with a circular

    In staging environments utilizing a chain of source and target servers with a circular topology, processed staging tasks persisted in the database of the last server in the server chain.

    10.0.17
  • On-line forms - Localization macros not resolved correctly in form autoresponder emails

    If a user submitted a form while having a non-default content culture selected, localization macros in the form's autoresponder emails were resolved into the site's default culture instead of the user's selected culture.

    10.0.17
  • Macros - Error in the Rule designer for required boolean parameters

    If a custom macro rule contained a boolean type parameter that was 'Required' and had a default value, an error occurred for users who left the default value while configuring the parameter in the 'Rule designer' dialog.

    10.0.17
  • REST - REST service not working with Windows authentication

    When using the REST service on instances with Windows authentication, domain user credentials provided in the basic authentication header of REST requests were not recognized correctly, which resulted in 401 Unauthorized responses.

    10.0.16
  • Pages - Incorrect evaluation of page level ('ACL') permissions in the 'Pages' form control

    Users granted permission to modify a page via page-level permissions ('ACLs'), but lacking the 'Modify' permission for the 'Content' module, were unable to modify the order of pages added to a page via the 'Pages' form control.

    10.0.16
  • Mobile development - Downtime for Microsoft Azure sites utilizing the 51Degrees Premium integration

    Heavy load on sites hosted on Microsoft Azure and utilizing the 51Degrees Premium integration caused site downtime in certain cases. After applying the hotfix, the 'Devices' selector on the 'General' tab of device profiles in the 'Device profiles' application no longer lists all devices from the 51Degrees Premium library.

    10.0.16
  • Licensing - License limitation errors when using both EMS and Ultimate licenses

    On instances containing both an 'EMS' license and another license of the 'Ultimate' edition, certain types of actions could cause license limitation errors on the site using the domain with the EMS license.

    10.0.16
  • E-commerce - Error when creating an order in certain cases

    If the customer's first or last name exceeded 100 characters, an error occurred when creating a new order.

    10.0.16
  • Web parts - 'SensorNotRequired' warning logged in the browser's console

    On pages containing the Google maps web part, the 'SensorNotRequired' warning was being logged to the browser's console due to the inclusion of an obsolete 'sensor' parameter when communicating with the Google Maps API.

    10.0.15
  • Search - Indexes not updated when setting the value of a custom SKU field

    If a custom field was added to the SKU class (under the E-commerce module) and configured to be indexed by the smart search, the system did not update related search indexes correctly when the value of the field was changed for a product page.

    10.0.15
  • On-line forms - Contact merging not working correctly when using alternative forms

    When an existing contact submitted new information via an alternative form, their updated contact information (e.g. name, address, etc.) was not correctly merged.

    10.0.15
  • E-mail engine - Invalid links in confirmation emails in certain cases

    Requests made through links in confirmation emails (for example password reset or unsubscription requests) were rejected as invalid in certain cases. The problem could occur if the culture context was different on the page where the request was generated and the page where the request was validated (only for certain cultures).

    10.0.15
  • Continuous integration - Database views not refreshed during the restore process

    When using continuous integration to synchronize changes that add or remove fields of the default customizable classes, the restore operation did not refresh database views related to the affected tables. This could lead to errors.

    10.0.15
  • Content editing - Incorrect processing of URLs starting with two slashes

    When adding URLs starting with two forward slashes (i.e. protocol-relative URLs) into content managed by the WYSIWYG editor, the system processed the value incorrectly, which resulted in an invalid relative URL.

    10.0.15
  • Widgets - Editable text widget losing its content

    In certain cases, the Editable text widget could lose its content when moved from one widget zone to another.

    10.0.14
  • Validators - Error when performing accessibility validation

    Attempting to perform accessibility validation of a page resulted in an error.

    10.0.14
  • Macros - Incorrect values of date and time parameters in the Rule designer

    When editing macro conditions in the 'Rule designer' dialog, rule parameters with date and time values were displayed incorrectly if the user's selected UI culture was different than 'English - United States'.

    10.0.14
  • Search - Search preview image for the CMS.File page type not displayed in certain cases

    When using a custom field to store a search preview image for the CMS.File page type, the system did not properly retrieve the image and instead displayed the default placeholder image in search results in certain cases.

    10.0.13
  • Pages - Error when copying pages under workflow in certain cases

    Copying of pages under workflow failed if the given Page type contained a custom field of the 'Unique identifier (GUID)' data type.

    10.0.13
  • E-commerce - Discounts disappearing after changing the currency of existing orders

    After changing the currency of an existing order on the 'Items' tab in the Orders application, discounts that were listed for the order disappeared in the user interface.

    10.0.13
  • Field editor - Form categories disappearing after inserting a macro into the caption

    When creating categories in the field editor, the category disappeared from the list if the 'Category caption' contained a macro expression that returned an empty string or null.

    10.0.12
  • Staging - Staging tasks not logged for the "Archive page" task type in certain cases

    In staging environments utilizing a chain of source and target servers (e.g. in a circular topology), staging tasks for the "Archive page" task type were not being logged on servers that received the task from another source server higher in the chain.

    10.0.11
  • Marketing automation - 'Initiated when' value not shown for processes initiated automatically

    When a marketing automation process was initiated automatically, the 'Initiated when' value was not shown on the process's Contacts tab.

    10.0.11
  • General - Incorrect processing of custom decimal values in rare cases

    When processing serialized XML data with custom fields of the 'Decimal number' data type (for example during import, staging, or in the REST service), the system handled certain types of decimal values incorrectly if the culture context of the source data was different than on the target instance. After applying the hotfix, the system attempts to adapt the processing for all types of decimal culture formats. In rare cases this may result in an error, and you then need to fix the source data or as a temporary workaround add the <add key="CMSDisableDecimalSeparatorFix" value="true" /> key to your project's web.config file to return to the previous decimal processing behavior.

    10.0.11
  • E-commerce - Error after clearing the shipping address during checkout

    When going through the checkout process, an error occurred in some cases if the customer set a different shipping address than the billing address, and then reset back to the billing address after returning from the following checkout step.

    10.0.11
  • Continuous integration - Configurable character encoding for repository files

    The character encoding used when generating files in the 'CIRepository' folder can now be configured via the new 'CMSCIEncoding' web.config key. For example: <add key="CMSCIEncoding" value="utf-8"/>

    10.0.11
  • Validators - Long integer number fields not accepting very large values

    The system incorrectly validated fields of the 'Long integer number' data type and did not accept values greater than 2*(10^18) or lower than -2*(10^18).

    10.0.10
  • Transformations - Incorrect 'IfEmpty' transformation method result for deleted files

    When a file was deleted from a field of the 'File' data type, the 'IfEmpty' transformation method incorrectly evaluated the field as not empty.

    10.0.10
  • Staging - Error after deleting custom table items with customized staging

    When using custom event handlers to automatically synchronize staging tasks, an error occurred after deleting a custom table data record.

    10.0.10
  • Modules - Error on custom object listing interface pages in certain cases

    When creating an object listing administration interface page for a custom module (using a template containing the 'Listing' UI web part), an error occurred on the page if the assigned Grid definition (xml file) contained an 'externalsourcename' column attribute whose value was not handled in an extender class.

    10.0.10
  • Form controls - Unsaved changes not reported for 'Uni selector' fields in certain cases

    Fields using the 'Uni selector' form control with the 'Selection mode' set to 'Multiple' did not report unsaved changes in the administration interface if a user navigated away from the editing form after removing items from the field.

    10.0.10
  • CSS - Unnecessary GetResource.ashx request with 'Combine CSS from components' enabled

    If the 'Combine CSS from components' setting was enabled, the system added an unnecessary GetResource.ashx request to pages that did not contain any components with assigned CSS.

    10.0.10
  • Continuous integration - CIRepository XML files deleted for the wrong site in special cases

    When deleting pages or objects on instances with multiple sites, the continuous integration solution removed serialized XML files in the 'CIRepository' folder for the wrong site in special cases.

    10.0.10
  • Continuous integration - Restored coupon objects could not be applied

    When restoring 'Discount coupon' and 'Buy X Get Y coupon' objects to the database using the continuous integration solution, the current number of redemptions (coupon uses) was set as null instead of 0 and the coupons could not be applied.

    10.0.10
  • Contact management - Subscription error for contacts with a non-unique email on non-EMS instances

    When subscribing contacts (for example to a newsletter), an error occurred for contacts with a non-unique email address on instances without an EMS license.

    10.0.10
  • Portal engine - Error when pasting web parts to a zone personalization variant

    When using the Copy all and Paste functionality to copy all web parts from a web part zone to a personalization variant of a different web part zone, an error could occur.

    10.0.9
  • Pages - Incorrect permission evaluation for page not found redirects

    Altering the query string parameters of a URL leading to a non-existing page (causing a page not found redirect) made it possible for signed-in users with insufficient permissions to access unpublished data on the page not found error page.

    10.0.9
  • Page types - Inherited page types not imported correctly in certain cases

    When importing an inherited page type together with its parent to an instance where those page types already exist, changes in the parent page type were not reflected in its descendants in certain cases.

    10.0.9
  • Controls - Invalid HTML produced by pagination components

    Some of the system's default pagination components (pagers based on the 'DataPager' control) generated HTML code that was not valid. The control's output code contained a doubled semicolon in the value of a 'style' attribute.

    10.0.9
  • Workflow - Rejected email not sent to the user who edited or submitted the page for approval

    When rejecting a page under workflow, the Rejected email was not sent to the user who edited or submitted the page for approval in certain cases.

    10.0.8
  • Sites - New sites not created correctly with certain site cultures

    When adding a site using the New site wizard in the Sites application, the site was created incorrectly if the selected 'Site culture' was different than 'English - United States' (or if the system's 'Default content culture' setting was different when creating the site using a web template).

    10.0.8
  • Macros - Documents[] macro not working according to the current content culture

    The 'Documents[]' macro expression did not return results (pages) according to the current content culture.

    10.0.8
  • Email marketing - A/B tested email variants not sent on sites with low traffic

    In certain cases, the system task for sending A/B tested email variants was not executed correctly on sites with low traffic. As a result, the A/B tested email variants were not sent.

    10.0.8
  • Contact management - Error when posting on a forum or subscribing to a post without EMS license

    An error occurred when a contact posted on a forum or subscribed to a forum post on sites with licenses other than EMS.

    10.0.8
  • Modules - Error in the UI for bindings between classes of the same type

    When building the administration interface for a custom binding class using the default 'Edit bindings' page template, an error occurred if the binding was defined between classes of the same type (for example M:N relationships between users).

    10.0.7
  • Email marketing - Links in marketing emails not tracked in certain cases

    When links in marketing emails contained HTML comments (for example <!--</a>-->), the links were not converted into tracking links in certain cases.

    10.0.7
  • Pages - 404 error for pages with multiple wildcard aliases

    If a page had multiple aliases with wildcards in the URL path and the aliases had at least one wildcard in common (for example '/News/{number}' and '/News/{number}/{type}'), the system returned a 404 Page Not Found error when the page was requested through the more specific alias.

    10.0.6
  • E-commerce - Invoice number missing in the invoices of new orders

    The initial invoices of new orders did not contain the invoice number.

    10.0.6
  • Continuous integration - Unnecessary changes generated for search index files

    The 'IndexLastRebuildTime' field was incorrectly included in the serialized data of search index objects when creating files in the continuous integration repository. This caused unnecessary changes, which were then tracked in the associated source control system.

    10.0.6
  • Contact management - Contacts created incorrectly for clients with disabled cookies

    The system incorrectly created new contacts on every request in cases where the visitor did not allow cookies (for example because of blocked cookies in the browser, or lack of consent on sites using the 'Cookie law consent' web parts).

    10.0.6
  • Import/Export - Licenses could not be imported from instances with lower hotfix versions

    License objects were not imported from packages that were exported on an instance with a lower hotfix version.

    10.0.5
  • MV testing - Error when calling DeleteMVTVariantInfo(variantGuid) for deleting MVT variants

    An error occurred after calling the 'DeleteMVTVariantInfo(variantGuid)' method in custom code when deleting MVT variants from pages.

    10.0.5
  • Workflow - Mass actions in the Workflows application affecting pages on all sites

    When editing a workflow on the Pages tab in the Workflows application on instances with multiple sites, mass actions were performed for pages on all sites, even when a specific site was selected in the Site filter.

    10.0.4
  • Web parts - Changing the ID of a layout web part removed child web part variants

    Changing the 'Web part control ID' property of a layout web part removed any content personalization or MVT variants created for web parts placed within the layout.

    10.0.4
  • Portal engine - Modal dialogs not closing in on-site editing mode in certain cases

    When using a custom jQuery UI library on live site pages, it was not possible to close modal dialogs in the on-site editing mode for pages based on Portal engine page templates.

    10.0.4
  • Modules - Customizable classes not included in module installation packages

    Module classes that had the 'Can be customized' flag enabled were not included when creating installation packages for custom modules.

    10.0.4
  • Media library - Sorting media files by size not working in the Listing mode

    When editing a media library in the Listing mode in the Media libraries application, sorting the media files by size did not work.

    10.0.4
  • Macros - Page collection macros not resolved correctly on the live site

    Macro expressions with page collection (TreeNodeCollection) components were not resolved correctly on the live site for public users or other users with limited page permissions. For example: {% CurrentDocument.Children.FirstItem.AbsoluteURL %}

    10.0.4
  • Macros - Macros in the Page title property not resolved correctly on the live site

    Macro expressions that were added in the 'Page title' property on the 'Properties -> Metadata' tab in the Pages application did not resolve correctly on the live site.

    10.0.4
  • Macros - Syntax validity check not working correctly in the macro report

    The macro report tool in System -> Macros -> Report did not check syntax validity correctly (except for macro rule expressions).

    10.0.4
  • Image editor - Error when editing and saving images in certain cases

    An error occurred when editing and saving images in applications that contain the Theme tab (e.g. Page layouts).

    10.0.4
  • Dashboards - Error when adding widgets to widget dashboards in certain cases

    An error occurred when adding widgets containing the Path property to widget dashboards (e.g. My desk).

    10.0.4
  • Dashboards - Layout widget content not saved on dashboards

    When using layout widgets on dashboards, the layout content was not saved correctly and disappeared after leaving or refreshing the dashboard page.

    10.0.4
  • Continuous integration - Collisions with reserved file system names when serializing objects

    When serializing objects whose name starts with a reserved file system name ('aux', 'com1', etc.), the continuous integration solution did not adjust the name correctly in certain cases, which resulted in an error.

    10.0.4
  • ASPX templates - Custom subscription form web part error on ASPX page templates

    If the 'Custom subscription form' web part's control was added into the markup of an ASPX page template, an error occurred after submitting the subscription form on pages using the template.

    10.0.4
  • Translation services - Editable content of pages incorrectly translated in certain cases

    When resubmitting pages based on the 'ASPX + Portal page' page template for translation, the editable content of the pages could be incorrectly translated in certain cases. For example, when the page template was modified before resubmitting the pages, the system did not distinguish between the IDs of the editable web parts and editable regions in the generated XLIFF files.

    10.0.3
  • Security - Payments made via the PayPal payment gateway causing errors

    Due to a misconfiguration of the system's CSRF protection, an error ocurred when verifying payments that were made using the PayPal payment gateway. As a result, the payment was aborted and the order not marked as paid.

    10.0.3
  • Search - Smart search worker role not indexing pages with widgets

    When running on Microsoft Azure, the smart search worker role could not index pages containing widgets. After applying the hotfix, the smart search worker role indexes widget content without the widget default values.

    10.0.3
  • Pages - DocumentQuery returning incorrect culture version of pages in certain cases

    If the 'Check page permissions' setting was enabled or used as a parameter of the DocumentQuery API, the DocumentQuery could return different culture version of pages than expected. For example, this could cause that the page names were displayed in an incorrect culture in the content tree of the Pages application.

    10.0.3
  • On-line forms - Error when deleting on-line form records in certain cases

    When the ID field of a form was not in the first position in the form builder, deleting a form record caused an error if the ID field was displayed on the Recorded data tab in the Forms application.

    10.0.3
  • Attachments - Image variants disappeared after editing and saving images with no changes

    When editing image attachments of the pages under workflow in the Pages application and saving the images without making any changes, all variants of the edited images disappeared.

    10.0.3
  • Web farms - Servers tab in the Web farm application not accessible in certain cases

    When the number of registered web farm servers exceeded the number allowed by the highest instance license, the Servers tab in the Web farm application was inaccessible.

    10.0.2
  • Output filter - Output compression could cause corrupt server responses for virtual directory files

    If output compression was enabled, the system could return corrupted responses when serving static files (e.g., images or pages) from an IIS virtual directory located outside of the Kentico project folder.

    10.0.2
  • Form engine - Script tags not working in custom form layouts

    When creating custom HTML layouts for forms, any <script> tags added to the layout code were not included in the output of the resulting form.

    10.0.2
  • Contact management - Percentage of total contact base not displayed in contact groups

    When editing contact groups in the Contact groups application, the percentage of total contact base was not displayed for the individual groups.

    10.0.2
  • Forums - Custom forum layouts not selectable in forum web parts

    After creating a custom forum layout (in the 'CMSModules\Forums\Controls\Layouts' folder), the layout did not appear as an option in the 'Forum layout' property of forum web parts.

    10.0.1
  • Form controls - Infinite page refresh for forms using the 'Numeric up/down' control

    Using the 'Numeric up/down' form control for a field with the 'Has depending fields' option enabled caused an infinite refresh on the page containing the resulting form.

    10.0.1
  • E-commerce - Abandoned shopping carts did not contain products in certain cases

    When using marketing automation to send email reminders about abandoned shopping carts, the restored shopping cart on the linked page did not contain products if the user was not signed in on the website.

    10.0.1
  • Debug - Output debug caused corruption of virtual directory files

    Enabling the output debug could cause the application to return corrupted responses when serving static files (images or pages) from an IIS virtual directory with a physical path outside of the Kentico project files.

    10.0.1
  • Authentication - AD mixed mode authentication causing errors for Forms users

    When using mixed mode Active Directory authentication, having an incorrectly configured or not responding Active Directory server caused an error when authenticating standard Forms users.

    10.0.1
  • ASPX templates - Custom registration form web part not working on ASPX page templates

    The 'Custom registration form' web part did not work correctly when its control was added into the markup of an ASPX page template.

    10.0.1
  • Security bugsFixed in version
  • Unauthenticated Remote Code Execution through .NET object deserialization in staging service  Critical

    Description

    Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted.

    Workaround for all Kentico versions
    The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
     1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
     2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
     3. 'Save' the changes

    Details

    Issue type:
    Remote Code Execution
    Security risk:
    Critical
    Found in version:
    9.0 - 10.0.51
    Fixed in version:
    10.0.52
    Fixed date:
    4/10/2019
    Reported by:
    Aon's Cyber Solutions

    Recommendation

    Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.
    10.0.52

Hotfixes for 9.x

Fixed Bugs
  • Bug DescriptionFixed in version
  • Security - Security improvements

    Added security improvements to the application.

    9.0.51
  • Web analytics - Error when using the Analytics browser capabilities web part

    The 'Analytics browser capabilities' web part did not work and pages containing the web part generated logging requests that resulted in an error (CSRF exception). The problem occurred after applying hotfix 9.0.48.

    9.0.50
  • Macros - Component CSS macros not working for transformations and web part layouts

    Macros for loading component CSS did not work for transformations and web part layouts. For example: {% CSS.Transformations["custom.article.list"] %}

    9.0.50
  • Contact management - Next run of the 'Delete inactive contacts' scheduled task not set properly

    When the deletion of inactive contacts took longer than 1 minute, the next run of the 'Delete inactive contacts' scheduled task was not set, and the task did not execute again. To fix the problem, you need to manually execute the scheduled task after applying the hotfix.

    9.0.50
  • Transformations - Error when using transformation with dot character in code name in special cases

    An error occurred when using transformations with a dot character in their code name. For example, if the system fetched a transformation directly from the database, the transformation's code name was parsed incorrectly and caused an error.

    9.0.49
  • Social Marketing - Facebook insights not collected

    Facebook insight data was not collected for pages assigned to Facebook apps using version 2.7 or newer of the Facebook API (i.e. apps created after July 13, 2016).

    9.0.49
  • Search - Infinite loop when rebuilding page indexes

    An infinite loop could occur when building page smart search indexes if the indexed data fields contained complex HTML or XML structures.

    9.0.49
  • Form controls - Logic CAPTCHA form control always displayed the explanation text

    The 'Logic CAPTCHA' form control displayed the "(please enter the answer to the question or statement)" text even if its hidden 'ShowAfterText' property was disabled.

    9.0.49
  • Email marketing - Error when filtering the emails of an email campaign

    An error occurred after applying the subject filter on the 'Emails' tab when editing an email campaign in the Email marketing application.

    9.0.49
  • Web farms - License key changes not synchronized correctly

    Changes of license keys were not synchronized correctly between web farm servers, which could lead to logged errors in certain cases.

    9.0.48
  • Media library - Resized media library images had relative URLs in emails

    When sending emails from Kentico (for example in the Email queue application), images added to the email content from a media library with resized dimensions were inserted with a relative URL, which caused them to be unavailable when viewed in email clients.

    9.0.48
  • Hotfix - Installations from hotfixed setup files not working

    Kentico instances installed from setup files with hotfix 9.0.40 or newer applied did not work (errors occurred due to missing assembly files).

    9.0.48
  • Continuous integration - Improved error logging when restoring CI data

    If the restoring of continuous integration data to the database failed, it was difficult to diagnose the exact cause in certain cases. If the process fails during the composition of an object consisting of multiple parts, the error message now contains the file system paths of the related files.

    9.0.48
  • Caching - Incorrect cache dependencies for imported 'Output cache dependencies' web parts

    After exporting and importing a page template containing the 'Output cache dependencies' web part, the keys specified in the web part's 'Cache dependencies' property were processed incorrectly and combined into a single invalid line.

    9.0.48
  • Authentication - Windows authentication with character replacement disabled for roles

    Windows Active Directory authentication could cause an error if replacement of forbidden characters was disabled for roles via the 'CMSEnsureSafeRoleNames' web.config key. The error occurred if import of AD domain groups as roles was enabled and the authenticated user belonged to at least one group with a forbidden character in its name.

    9.0.48
  • E-commerce - Search in customer selection dialogs

    When using the search in customer selection dialogs (for example when manually creating new orders), the system only displayed customers with matching last names. After applying the hotfix, the search also uses the first name, company and email address customer fields.

    9.0.47
  • Authentication - Claims authentication fails and creates multiple user accounts

    When using certain external identity providers for authentication (for example Access Control Service), the system incorrectly handled situations where the identity provider returned an empty username claim. This caused an authentication loop for the client, which could result in the system generating multiple user accounts.

    9.0.47
  • Web farms - Files not synchronized due to web farm server restarts

    When using automatic web farm mode, servers were deleted from the system while restarting. As a result, the system did not create file synchronization tasks while the server was missing. After applying the hotfix, servers always remain in the system for 24 hours after shutting down (unless running on Azure Cloud Services).

    9.0.46
  • Time zones - Time values calculated incorrectly in rare cases

    Date and time values were adjusted incorrectly if the value matched the start or end interval of the active time zone's daylight saving time (after conversion to the server time zone). As a result, the saved time did not match the selected time.

    9.0.46
  • Pages - Incorrect permission evaluation for pages in the content tree in special cases

    If the 'Check page permissions' setting was enabled, certain pages in the content tree could be incorrectly hidden even though users had sufficient permissions to view the pages.

    9.0.46
  • Facebook connect - Facebook authentication not working for new apps

    Due to changes in the Facebook API, an error occurred when a user attempted to sign in through newly registered Facebook authentication apps. After applying the hotfix, the 'Biography' field is no longer offered when configuring mappings of Facebook user profile fields (the field is not available in the Facebook API).

    9.0.46
  • Data engine - Error on sites under heavy load

    An error (System.NullReferenceException) could occur in certain cases while performing some types of operations on sites under heavy load.

    9.0.46
  • Custom tables - Custom table Items collection incorrectly cached in macros

    When using the Items property of custom table objects in macros, the data was incorrectly cached. For example, when using the 'GlobalObjects.CustomTables["<customtablecodename>"].Items' macro, the latest data was not returned.

    9.0.46
  • Form controls - Error when enabling 'Has depending fields' for certain form controls

    Enabling the 'Has depending fields' option for form fields caused an error in the resulting form when using certain form controls (Category selector, Department roles selector, Report selectors, User selector, Variation selector).

    9.0.45
  • E-commerce - Custom shipping options could prevent customers from finishing orders

    Custom ShippingOptionInfoProvider implementations could allow customers to get into a state when they could not finish their order. If customers changed their information or content of the shopping cart causing that the already selected shipping option was no longer applicable, customers were prevented from changing the invalid shipping option and could not continue with the checkout process.

    9.0.45
  • Alternative forms - Form control could not be changed from 'Label' for primary key fields

    When editing a primary key (ID) field in an alternative form, the field editor did not allow selection of any form control other than 'Label'.

    9.0.45
  • Security - Errors when using cookie consent web parts

    If the system disabled cookies for a user via the 'Simple cookie law consent' or 'Cookie law consent' web part, an error (CSRF exception) occurred for each post request (button clicks, form submissions, etc.). The hotfix resolves the problem by changing the cookie level of the 'CMSCsrfCookie' cookie to 'System'.

    9.0.44
  • Pages - Form tab data lost when adding pages under workflow to a campaign

    In certain cases, adding an existing page under workflow to a campaign caused the loss of page type data entered on the page's Form tab in the Pages application.

    9.0.44
  • Hotfix - Error when applying hotfixes on upgraded instances

    An "Unsupported DLLs version" error occurred when applying the hotfix on some instances that were upgraded from older Kentico versions.

    9.0.44
  • Widgets - Error when inserting inline widgets in certain cases

    An error occurred when inserting inline widgets into newly created unsaved pages.

    9.0.43
  • Web farms - Scheduled task creation in a web farm environment

    When creating a scheduled task in a web farm environment with the 'Create tasks for all web farm servers' option enabled, the scheduled task was not created for the server processing the request.

    9.0.43
  • Web analytics - 'Excluded IP addresses' setting not applied correctly

    In certain cases, the value of the 'Settings -> On-line marketing -> Web analytics -> Excluded IP addresses' setting was not applied until the application was restarted.

    9.0.43
  • Marketing automation - Automation processes stuck on Wait steps with date or time in the past

    Marketing automation processes got stuck when they contained a Wait step whose Timeout settings were set to a Specific day with the date or time in the past.

    9.0.43
  • Marketing automation - 'Comment and move to specific step' action not working

    The 'Comment and move to specific step' action did not work when manually moving contacts between the steps of a marketing automation process.

    9.0.43
  • Import/Export - Insufficient license checks when importing site packages

    When importing a site package with objects requiring a greater license edition than the one registered on the instance, a license limitation error occurred even if the import package contained a sufficient license key. After applying the hotfix, the system checks for suitable license keys in the content of imported packages.

    9.0.43
  • Form controls - Accessibility validation failed for specific form controls

    When used in a form, the 'U.S. phone number' and 'Upload file' form controls generated a hidden <label> element in addition to the label in the form, which caused accessibility validation to fail for the form's output code.

    9.0.43
  • E-mail engine - Email attachments could not be opened in the iOS email client

    File attachments were not displayed when viewing emails sent from Kentico in the default iOS email client. The problem occurred after applying hotfix 9.0.29.

    9.0.43
  • Dashboards - Empty dashboard after removing an application from the system

    Removing the UI element representing an application that was added to the system dashboard caused the dashboard to be blank. After applying the hotfix, the dashboard correctly displays applications after one of them is removed from the system.

    9.0.43
  • Contact management - Macro for counting the contact groups of a contact not resolved correctly

    The '{%OnlineMarketingContext.CurrentContact.ContactGroups.Count%}' macro for counting how many contact groups the contact is a member of did not resolve correctly because the 'ContactGroups' property of the 'ContactInfo' object was cached incorrectly.

    9.0.43
  • Caching - Initial loading of cached data in heavy load environments

    When loading data with caching enabled, the system performed multiple load operations in certain cases if running in a heavy-traffic environment with a large number of concurrent requests.

    9.0.43
  • Web farms - Import not working correctly when using a non-sticky load balancer

    When running in a web farm environment with a load balancer using non-sticky sessions, package files uploaded in the import wizard were not synchronized between servers, which could prevent the import from working.

    9.0.42
  • Users - Screen lock dialog when using impersonation

    If a screen lock occurred while impersonating a different user, the unlock dialog incorrectly required the credentials of the user who was being impersonated. After applying the hotfix, the unlock dialog accepts the credentials of the original user.

    9.0.42
  • Staging - Page aliases not synchronized after deleting pages in certain cases

    When deleting pages with the 'Redirect old URLs to another page' option, the system did not create staging tasks to update the page alias.

    9.0.42
  • Staging - Linked pages incorrectly synchronized in certain cases

    An error occurred when processing update and publish staging tasks for linked pages that were assigned to a category.

    9.0.42
  • Staging - Error logged incorrectly when synchronizing pages in special cases

    When the system synchronized pages under workflow with the 'Automatically update page alias' setting enabled, an error was incorrectly logged even though the synchronization was successful.

    9.0.42
  • Metafiles - Error when viewing global metafiles

    An error occurred when viewing metafiles on the 'System -> Files -> Metafiles' tab if the '(global)' option was chosen in the Site selector.

    9.0.42
  • Hotfix - Hotfix utility not usable on Windows 10 with 150% DPI scaling

    The Hotfix and upgrade utility did not display its buttons when opened on Windows 10 with 150% DPI scaling.

    9.0.42
  • General - Incorrect handling of read-only sessions causing errors

    The system incorrectly performed set and remove session operations when handling requests using read-only session state, which caused errors (visible in the event log).

    9.0.42
  • Debug - Enabling the file debug in 'System -> Files -> Debug' enabled all debugs

    Enabling the file system (IO) debug through the information message on the 'System -> Files -> Debug' tab incorrectly enabled all types of debugs instead of just the file debug.

    9.0.42
  • Cultures - User's preferred content culture ignored when using Windows authentication

    The 'Preferred content culture' user setting was ignored when using Windows authentication to authenticate users.

    9.0.42
  • Widgets - Incorrect behavior of certain widget properties

    When working with widgets properties, the system was not able to identify properties as inherited from the parent web part in certain cases, leading to duplicated properties in the configuration dialog and incorrectly applied property settings.

    9.0.41
  • Microsoft Azure - Unnecessary requests when checking file existence on Blob storage

    When using Azure Blob storage to store files, the system performed an unnecessary number of requests when checking whether a file existed (for non-existing files). After applying the hotfix, information about non-existing Blob files is cached.

    9.0.41
  • Media library - Reduced application performance while uploading media files

    When using an external file storage provider (for example Amazon S3), uploading of media files caused the application to become unresponsive for the given user while the upload was in progress.

    9.0.40
  • Amazon S3 - Amazon Web Services SDK for .NET update

    Updated the Amazon Web Services SDK for .NET to version 3.1.9.0. After applying the hotfix, the Amazon S3 file storage can be used with all Amazon data centers.

    9.0.40
  • Users - 'Lock reason' filter disabled in the Users application

    When working with the advanced search filter in the Users application, the 'Lock reason' selector incorrectly became disabled after the search was applied to the list of users.

    9.0.39
  • User interface - Applications using a tree-based layout were incorrectly rendered in certain cases

    Applications using a tree-based layout (for example the Pages application) could be incorrectly rendered if the tree contained a large number of elements.

    9.0.39
  • URL rewriting & SEO - 301 redirection errors in certain environments

    In certain environments, the system handled 301 permanent redirects incorrectly if the target URL contained special characters. The redirects resulted in either an invalid URL or a page not found error.

    9.0.39
  • Staging - Error when processing page staging tasks in certain cases

    If a page under workflow with child pages had its page name changed and the 'Automatically update page alias' setting was enabled, processing of the related page staging task caused an error.

    9.0.39
  • Performance - SQL query text always loaded to memory

    The system loaded SQL query text to memory even when the SQL debug was disabled. This could lead to heavier memory usage and reduced application performance.

    9.0.39
  • Marketing automation - 'Contact' macros not resolved correctly after Wait steps on localized sites

    When a culture with a full localization pack was set as a site's 'Default content culture', macros containing 'Contact' objects were not resolved correctly in marketing automation processes for action steps placed after the Wait step.

    9.0.39
  • Users - Impersonation dialog showing disabled users

    The user impersonation dialog incorrectly displayed user accounts that were not enabled.

    9.0.38
  • Settings - Error when renaming custom setting keys

    An error occurred when changing the code name of a custom setting key in the Modules application, if the setting had a site-specific value assigned (in the Settings application).

    9.0.38
  • Search - Infinite loop when rebuilding page indexes

    An infinite loop could occur when rebuilding page smart search indexes if the indexed content included certain types of strings with HTML comments.

    9.0.38
  • Form controls - Uni selector form control not refreshing depending fields

    The 'Has depending fields' setting did not work for fields using the 'Uni selector' form control with the 'Selection mode' set to Single or Multiple text box. The resulting form was not refreshed when the field's value was changed.

    9.0.38
  • Caching - Pages with running A/B or MVT tests not cached correctly when using Output cache

    When using Output cache for pages with running A/B or MVT tests together with the 'Redirect invalid case URLs to their correct versions' setting configured to a different value than the default 'Do not check the URLs case' option, a blank page was displayed instead of the cached pages.

    9.0.38
  • WYSIWYG editor - Incorrect editor behavior when the browser's Find dialog was open

    If the browser's Find dialog was opened by pressing CTRL + F while the cursor was present in the editor's area, pressing the 's' key caused the editor to behave incorrectly and attempt to save the content.

    9.0.37
  • Translation services - Error when using the Translations.com translation service in special cases

    An error could occur when importing submissions translated via the Translations.com translation service if the 'Automatically import translated submissions' setting was enabled.

    9.0.37
  • Staging - Scheduled tasks not synchronized across multiple staging servers

    In a staging environment with multiple servers, the system did not create new staging tasks related to scheduled task objects when processing incoming tasks from another server (even if the 'Log staging changes' setting was enabled).

    9.0.37
  • Search - Incorrect search results for pages containing instances of the 'Editable image' web part

    Pages smart search indexes incorrectly contained properties of the 'Editable image' web part instances. This could affect the accuracy and relevance of search results. After applying the hotfix, web part instances with a modified 'Web part control ID' are also excluded from the search index content.

    9.0.37
  • Reporting - Incorrect time range of data sent to report subscribers

    If a user subscribed to a report while using a UI culture with a different date format than the en-US culture, the system incorrectly processed the value in the subscription's 'Data from last' setting. As a result, the time range of data displayed in the sent reports was incorrect.

    9.0.37
  • Macros - Slow macro re-signing

    The macro re-signing process was inefficient for certain object types. Applying the hotfix improves re-signing performance for instances with a very large number of objects or pages.

    9.0.37
  • Form controls - Accessibility validation failed for the Calendar form control

    When used in a form, the 'Calendar' form control generated a hidden <label> element in addition to the label in the form, which caused accessibility validation to fail for the form's output code.

    9.0.37
  • Email marketing - A/B tested emails sent twice to the test group of subscribers

    In certain cases, the winning variant of an A/B tested email was sent to the subscriber test group that already received one variant of the email.

    9.0.37
  • Contact management - Adding contacts to contact groups not possible in certain locations

    Users with sufficient permissions for managing contacts and contact groups were not able to add contacts to groups on the 'Contact groups' tab of the contact editing interface in the 'Contact management' application. No contact groups were displayed after clicking the 'Add to contact groups' button.

    9.0.37
  • API - Null event arguments for 'URLRewritingEvents.ProcessRewritingResult'

    When using custom event handlers for the 'URLRewritingEvents.ProcessRewritingResult' event, the 'URLRewritingEventArgs' parameter of the handler method was always null.

    9.0.37
  • Web parts - Google Maps web parts not specifying API version

    The Google Maps web parts did not specify API version when requesting data. This could cause the experimental Google Maps API version to be used, leading to potentially unstable functionality.

    9.0.36
  • Macros - SKU macro collections not working correctly

    Collections of product and product variant objects in the macro engine were not loaded correctly due to a name conflict between the given macro collections. After applying the hotfix, products are available in the 'SKUs' collection and product variants in the 'SKUVariants' collection, for example {%SiteObjects.SKUs%}.

    9.0.36
  • Cultures - Errors when using Azeri - Azerbaijan cultures

    The system handled text incorrectly in the context of 'Azeri - Azerbaijan' cultures, which caused errors in certain scenarios. For example, an error occurred when creating or editing pages of the 'Page (menu item)' type on a site using Azeri as its content culture.

    9.0.36
  • Contact management - Contact merging not working correctly when using Windows authentication

    When using Windows authentication and contact merging, individual contacts and their logged activities were all merged into one contact after creating a new session.

    9.0.36
  • Amazon S3 - Upload of large files to the Amazon S3 storage failing

    When using Amazon S3 for file storage, uploading of large (100MB+) files was inefficient and sometimes failed without notifying the user.

    9.0.36
  • Web parts & controls - Error when using the Google Sitemap web part to display the root page

    An error occurred when using the 'Google Sitemap' web part to display the root page.

    9.0.35
  • Search - Incorrect search results for pages containing the 'Editable image' web part

    Pages smart search indexes incorrectly contained properties of the 'Editable image' web part. This could affect the accuracy and relevance of search results.

    9.0.35
  • Portal engine - Error when displaying web part properties in certain cases

    If all non-system web part property fields of a web part were deleted, an error occurred when displaying the web part's properties in the Pages application.

    9.0.35
  • Pages - Reverted fix for error caused by setting a page alias to an unpublished page's alias path

    If an additional Page alias of a published page was set to the Alias path of an unpublished page, the system returned a 404 HTTP error for the given URL instead of displaying the published page on the live site. The issue was fixed in hotfix 9.0.17. However, the fix introduced other issues, which could, for example, cause incorrect page template inheritance in the Portal engine. After applying hotfix 9.0.35, the fix from hotfix 9.0.17 is removed. The issue will not be addressed in future hotfix versions.

    9.0.35
  • Pages - Error when saving pages in rare cases

    When saving a page with larger attachments containing textual data, a race condition error could occur if the page was indexed by the smart search.

    9.0.35
  • Form controls - 'Drop-down list' form control caused a JavaScript error in Internet Explorer 7

    When using the 'Drop-down list' form control with the 'Allow edit value' control setting property enabled, a JavaScript error was logged in Internet Explorer 7.

    9.0.35
  • Email marketing - Tracked email campaign links not using case-sensitive URLs

    Tracked links sent in email campaigns are converted to use lowercase URL paths by default. If you need to use case-sensitive URLs, you can override the default setting by adding the <add key="CMSLinkTrackerKeepUrlCase" value="true"/> key to your web.config.

    9.0.35
  • E-commerce - Customers charged for automatically added products

    If a Buy X Get Y discount was set to add a product to the shopping cart automatically for free, and the product was also included in another Buy X Get Y discount with a higher priority, the customer had to pay for the product and could not remove it from the shopping cart.

    9.0.35
  • Authentication - User settings not updated when using custom external authentication handlers

    When using custom external authentication handlers to modify user settings, the setting fields were not correctly updated the first time users signed in.

    9.0.35
  • Search - Smart search indexing HTML comments

    The smart search incorrectly indexed HTML comments when building Page indexes and then returned them in related search results.

    9.0.34
  • Search - Smart search indexing failed for certain PDF file page attachments

    When indexing PDF file page attachments, PDF files containing certain Unicode characters were not included in the smart search index.

    9.0.34
  • Form controls - Editable drop-down list form control not refreshing depending fields

    The 'Has depending fields' setting did not work for fields using the 'Drop-down list' form control with the 'Allow edit value' setting enabled. The resulting form wasn't refreshed when the field's value was changed.

    9.0.34
  • Deployment mode - Modified files not detected when synchronizing changes to the database

    When using deployment mode or the source control feature for external editing of object code, the 'Synchronize changes to database' function did not detect modifications of files correctly for objects with more than one externally stored code field.

    9.0.34
  • Caching - Cache item names containing Where condition code

    When using content caching for web parts with a query data source (for example the 'Repeater with custom query' web part) together with a Where condition, the name of the cache item incorrectly contained the Where condition code. This made it difficult to work with the cache item in custom code.

    9.0.34
  • Widgets - Tooltips of inline widgets incorrectly encoded in certain cases

    When using inline widgets with localized display names, the tooltip with the display name could be incorrectly encoded in certain cases.

    9.0.33
  • Widgets - Attachments tab not shown in Insert link dialog of inline widgets

    When using the 'URL selector' form control for a property of an inline widget, the Insert link dialog didn't show the Attachments tab.

    9.0.33
  • Translation services - Error when processing translations in special cases

    When processing translations, the system created invalid resource string names in special cases causing an error to occur.

    9.0.33
  • Search - Error when rebuilding page indexes

    An error could occur when rebuilding page search indexes if the indexed content included unpublished pages. The problem occurred after applying hotfix 9.0.31.

    9.0.33
  • Form controls - Validation error when saving 'List box' or 'Multiple choice' fields

    The 'Separator' advanced setting of the 'List box' and 'Multiple choice' form controls was incorrectly set as required. This caused a validation error when saving a form field on the 'Fields' tab after creating the field on the 'Form builder' tab.

    9.0.33
  • Web parts - Google maps web parts not working without Google Maps API key

    Google maps web parts did not work correctly in certain cases due to changes in the Google Maps API, which requires an API key to authenticate requests for data. After applying the hotfix, the Google maps web parts include a new property for entering the Google Maps API key.

    9.0.32
  • Images - Error when resizing images

    An error occurred in certain cases when the system resized images (most commonly for files in the GIF format).

    9.0.32
  • Continuous integration - Non-printing characters in data causing invalid XML files

    The continuous integration solution did not work correctly if a non-printing character (not valid in XML) was saved into the data of a tracked object or page. An error occurred during the serialization and the system produced incomplete and invalid XML files in the 'CIRepository' folder. After applying the hotfix, the system automatically removes such characters from text inputs.

    9.0.32
  • User interface - Broken layout in wizard interfaces

    Clicking check boxes or radio buttons within wizard interfaces with an active scroll bar (for example when editing fields in the new page type wizard) could break the wizard layout or cause incorrect scroll bar positioning.

    9.0.31
  • Translation services - Error when importing translated web part properties with long values

    When importing completed translations containing web part properties, an error occurred if one of the web part property values was longer than 200 characters.

    9.0.31
  • Search - Endless loop when rebuilding page indexes

    If search indexing was manually disabled for certain system fields of pages (for example the 'DocumentID' field), an infinite loop could occur when rebuilding page search indexes.

    9.0.31
  • Performance - Heavy memory usage due to insufficient object disposal

    Certain parts of the Kentico API did not dispose of objects correctly, which could lead to heavy memory usage and reduce the application's performance in some scenarios.

    9.0.31
  • On-line forms - BizForm properties not set in handlers of the control's OnAfterSave event

    When handling the 'OnAfterSave' event of the BizForm control in custom code, the 'FormInserted' and 'FormUpdated' properties of the control were not set correctly.

    9.0.31
  • Dashboards - Invalid content on the default template of the 'My desk' application

    When installing new Kentico instances from setup files with hotfix 9.0.7 or newer applied, the default template used by the widget dashboard in the 'My desk' application had incorrect content with invalid testing data.

    9.0.31
  • Attachments - Attachment binary data not removed from the file system

    When storing files in the file system, the binary data of attachments was not removed from the file system if the page with the attachment was deleted or destroyed.

    9.0.31
  • Pages - Confirmation dialog incorrectly shown in certain cases

    When uploading a file on the Form or Attachments tabs in the Pages application, navigating to a different page or tab could incorrectly cause a confirmation dialog to show (even though the file was saved automatically). The problem occurred after applying hotfix 9.0.24.

    9.0.30
  • Macros - Invalid macros in widget properties after updating macro signatures

    When updating macro signatures in the System application, certain types of macro expressions located in the definitions of editor widget properties were not processed correctly and became invalid.

    9.0.30
  • Field editor - Fields incorrectly reported as modified in inherited forms

    When editing inherited forms (for example properties of widgets or inherited web parts), the system incorrectly reported inherited fields as modified and the 'Reset field' button was active, even for fields that were unchanged from the original form. To fix the problem, you need to manually re-save the original form and then the inherited form after applying the hotfix.

    9.0.30
  • E-commerce - Product filter caused a database query timeout

    Filtering products and searching for them in the Products application caused a database query timeout on sites containing thousands of products.

    9.0.30
  • Attachments - Attachments incorrectly accessible by unauthenticated users in certain cases

    When using the 'Requires authentication' setting on the Security tab of pages, the page attachments could be accessible to unauthenticated users due to incorrectly cleared cache.

    9.0.30
  • Widgets - Attachments tab not shown in Insert link dialog of inline widgets

    When using the 'URL selector' form control for a property of an inline widget, the Insert link dialog didn't show the Attachments tab. In order to fix the bug, two files need to be replaced, ~\CMS\bin\CMS.CKEditor.dll and ~\CMS\CMSAdminControls\CKeditor\plugins\CMSPlugins\plugin.js. The hotfix only replaces the CMS.CKEditor.dll library. To fully fix the problem, apply hotfix 9.0.33.

    9.0.30
  • Staging - Incorrect culture versions of pages deleted in certain scenarios

    On sites with more than 2 content cultures running in an environment with at least 3 consecutive servers connected through staging, synchronization didn't work correctly when deleting culture versions of pages. When processing incoming 'Delete page' staging tasks, tasks for the next server were generated incorrectly, which could then delete the wrong culture version of the pages.

    9.0.29
  • Search - Unnecessary search tasks created when updating pages under workflow

    Updating pages under workflow generated an unnecessary number of search indexing tasks.

    9.0.29
  • Pages - Root page incorrectly accessible to unauthenticated users in certain cases

    When using the 'Requires authentication' setting (on the Security tab of pages) for the site root page, the root page could be accessible to unauthenticated users due to incorrectly cached page version.

    9.0.29
  • MV testing - Incorrect reports for MVT tests

    Conversion count reports for MVT tests displayed incorrect numbers.

    9.0.29
  • Localization - Culture names not localized in the selector in the Pages application

    When using localization expression in the 'Culture name' or 'Short name' properties of cultures, the values weren't localized in the text of the culture selector in the Pages application.

    9.0.29
  • Form controls - "Has depending fields" option not working for certain form controls

    The 'Has depending fields' option of form fields didn't work correctly with certain types of form controls (for example the 'URL selector' and other form controls that internally utilized an update panel). The resulting form wasn't refreshed when the field's value was changed.

    9.0.29
  • E-mail engine - Email attachment images not displayed in the Gmail client

    Emails sent from Kentico with image attachments that were added as inline email content were not displayed correctly when viewed in the Gmail client.

    9.0.29
  • Continuous integration - Site root page removed from continuous integration data during site import

    Importing a new site while using continuous integration for pages could delete the repository file representing the root page of a different site in certain cases. This could lead to sites displaying an empty content tree after restoring the page data back to the database.

    9.0.29
  • Continuous integration - Incomplete serialized data for inherited web parts

    The serialized data created by the continuous integration solution for inherited web parts was incomplete. As a result, certain property settings were incorrect after restoring inherited web parts from the repository. To fix the problem, you need to apply the hotfix and then serialize all objects again in the Continuous integration application.

    9.0.29
  • Alternative forms - Cloned alternative form could not be modified

    When cloning one of the default alternative forms under the system's module classes, the new form was not marked as custom and its properties couldn't be modified.

    9.0.29
  • Translation services - Translated content not imported for editable regions in special cases

    When importing completed translations, content was not imported for editable regions that were created by placing 'CMSEditableRegion' controls directly into the page layout code of portal engine page templates (outside of web part zones).

    9.0.28
  • Media library - Error when updating the metadata of media files

    When saving the metadata of a file in a media library on the 'Edit' tab, an unhandled error occurred if the file was being used by another process (for example video files opened for streaming).

    9.0.28
  • Form controls - List box form fields always shown as enabled

    Fields using the 'List box' form control were displayed as enabled in editing forms even if the field was disabled (for example using the field's Enabled condition or via content locking under workflow).

    9.0.28
  • Continuous integration - Inconsistent serialized data for search settings

    When saving the search settings for the fields of a data class (Page type, Custom table, Form, etc.), the serialized data created by the continuous integration solution was different every time, even for fields whose search settings were not changed (new GUID values were generated for the search setting items in the XML and their order changed).

    9.0.28
  • Search - Missing SearchTaskPriority field

    The 'SearchTaskPriority' field (column) was missing in the field definition of the Search task class, which could lead to errors when using the smart search functionality in rare cases.

    9.0.27
  • Import/Export - Error when exporting system modules as not sealed

    If one of the default system modules was selected when exporting sites or global objects, and the "Seal the selected modules" option was disabled, an unhandled error occurred and the export failed.

    9.0.26
  • Import toolkit - Update not working for pages in non-default cultures

    When using the Import Toolkit to update pages in a culture different than the global value of the instance's "Default content culture" setting, new pages were always created instead of updating the existing pages.

    9.0.26
  • Continuous integration - Inconsistent serialized data for inherited web parts

    The serialized data created for inherited web parts by the continuous integration solution was different every time the web part was stored, even if the web part definition was not changed (new GUID values were generated for property definitions during every store operation). To fix the problem, you need to apply the hotfix and then manually re-save the property definitions for all inherited web parts (click Save for any property on the Properties tab in the Web parts application).

    9.0.26
  • Macros - Improved logging for macro errors

    Increased the level of detail in event log entries for errors that could occur when initializing macro resolvers (helps determine the cause of the errors).

    9.0.25
  • Integration bus - Failed integration tasks blocked further processing

    If an integration task failed, processing was blocked for any remaining queued tasks (even if the error was non-critical and logged using the 'ErrorAndSkip' value from the 'IntegrationProcessResultEnum' enumeration).

    9.0.25
  • Data engine - Missing custom table and page type permissions when synchronizing roles

    When deploying roles using staging or the export/import feature, page type and custom table permissions assigned to the roles weren't set correctly on the target instance.

    9.0.25
  • Users - Custom registration form not using the 'Display message after registration' text

    Messages entered into the 'Display message after registration' property of 'Custom registration form' web parts didn't override the default text shown to newly registered users.

    9.0.24
  • URL rewriting & SEO - Unnecessary redirects when accessing URLs without a language prefix

    When the 'Use language prefix for URLs' setting was enabled, accessing page URLs without specifying the language prefix caused the system to perform unnecessary redirects. After applying the hotfix, the system performs only one permanent 301 redirect.

    9.0.24
  • URL rewriting & SEO - Google sitemap URL was inaccessible in certain cases

    When the 'Check page permissions' setting was set to 'All pages', the Google sitemap URL was inaccessible even if the page permissions were configured correctly.

    9.0.24
  • Pages - Changes made to content of collapsible field categories not saved in certain cases

    When using a collapsible field category that was collapsed by default, changes made to the fields contained in the category on the Form tab were not saved for pages under workflow in certain cases.

    9.0.24
  • Macros - Invalid syntax reported for scoring rule conditions

    The macro report tool (System -> Macros -> Report) incorrectly reported invalid syntax for macro rules added to scoring rule conditions in the Scoring application.

    9.0.24
  • Groups - User removed from all groups after being removed from a site

    Removing a user from a site (on the Sites tab of the user editing interface) removed the user from all community groups in the system, even those on other sites. After applying the hotfix, this action only removes the user from groups on the given site.

    9.0.24
  • Forums - Error when unsubscribing from forums and forum posts using the default unsubscription page

    An error occurred when unsubscribing from forums and forum posts using the default unsubscription page.

    9.0.24
  • Form controls - 'Use relative URL' setting not saved for form fields

    When configuring fields using the 'Rich text editor' or 'BBcode editor' form control, the system didn't save changes made to the 'Use relative URL' setting under the 'Media dialog configuration' options.

    9.0.24
  • Form controls - Inifinite loop when using the Multiple object binding control

    An infinite loop occurred when the 'Multiple object binding control' form control had the 'Target object column name' property set.

    9.0.24
  • E-commerce - Product filters caused a performance issue

    Filtering by SKUs in listings and dialogs caused a database query timeout on sites containing thousands of products.

    9.0.24
  • Media library - Incorrectly generated URLs to media library files in external storage in rare cases

    When storing media libraries in an external storage (for example Azure Blob storage or Amazon S3), the URLs to media files could be incorrectly generated in rare cases.

    9.0.23
  • Media library - Teaser image not saved when creating media libraries

    When creating a new media library, files uploaded into the 'Teaser image' field were not saved. The problem was introduced after applying hotfix 9.0.22.

    9.0.23
  • Import/Export - Error when importing page types with a required field

    When using the import feature to update an existing page type, an error could occur if the updated page type changed a text field to 'Required' with an empty default value.

    9.0.23
  • General - Images were always resized to the default resolution (96 DPI)

    When changing dimensions of images, the system didn't maintain the original DPI resolution and resized the images to the default resolution (96 DPI).

    9.0.23
  • E-commerce - Performance issue in Buy X Get Y discounts

    A database query timeout occurred when configuring a Buy X Get Y discount's "Get" condition on sites containing thousands of products with variants.

    9.0.23
  • Workflow - Warning message after applying the 9.0.21 source code hotfix and rebuilding the project

    After applying the 9.0.21 hotfix on a source code installation and rebuilding the project, a warning message was displayed due to a missing XML comment of a method parameter.

    9.0.22
  • Web parts & controls - 'Show new button' not working for repeater web parts on unpublished pages

    When using the 'Show New button' option of repeater web parts, the button for adding new pages was not shown if the repeater was placed on an unpublished page.

    9.0.22
  • Search - Error rebuilding Pages indexes if an indexed page contained an undefined widget

    Rebuilding Pages smart search indexes caused an error when an indexed page contained an instance of a widget whose definition was previously deleted in the Widgets application.

    9.0.22
  • Search - Synonym search not working with search filters

    When using the 'Any word or synonym' search mode, the synonym search didn't work if a search filter was connected to the search web part.

    9.0.22
  • Import/Export - Triggers for marketing automation processes imported twice

    When importing a site or object package containing marketing automation processes, triggers of the processes were imported twice.

    9.0.22
  • Form controls - 'Tag selector' form control caused an error in certain cases

    When using the 'Tag selector' form control, trying to select tags caused an error if no tags were available or the page had no tag group specified. After applying the hotfix, the Select button of the form control is disabled when no tag group is specified for the page.

    9.0.22
  • Dialogs - Inconsistencies when using the 'Insert image or media' dialog in non-default cultures

    The 'Combine files with default culture' setting was not applied correctly when using the 'Insert image or media' dialog. This could lead to inconsistencies, for example when selecting images in the content tree of the dialog's Content tab.

    9.0.22
  • URL rewriting & SEO - Incorrect 302 redirect when accessing URLs without a language prefix

    When the 'Use language prefix for URLs' setting was enabled, accessing page URLs without specifying the language prefix led to a standard 302 redirect instead of a permanent 301 redirect.

    9.0.21
  • Portal engine - Incorrect drag & drop behavior in relatively positioned web part zones

    Drag & drop functionality didn't work correctly for elements within web part or widget zones on the Page and Design tabs in the Pages application if the styles of the page applied relative positioning to the zones.

    9.0.21
  • Attachments - Page attachments not displayed correctly when using URLs with trailing slash

    Page attachments were not displayed correctly when the 'Use URLs with trailing slash' setting was set to 'Always use URLs with trailing slash'.

    9.0.21
  • Attachments - 'Attachments' field items retrieved via generated classes were in incorrect order

    When retrieving attachments from an 'Attachments' page type field in code via generated classes, the returned attachment items were not sorted according to the order defined on the page's Form tab.

    9.0.21
  • Users - Group filters in the Users application did not work

    When working with the advanced search filter in the Users application, selecting groups for the 'In groups' or 'Not in groups' fields did not add the values to the filter and the search condition was not applied.

    9.0.20
  • URL rewriting & SEO - Domain alias redirection didn't work for lower case URLs

    When using domain alias redirection for sites, navigating to the site's domain alias URL in lower case format did not cause redirection set by the 'Redirect URL' property.

    9.0.20
  • On-line forms - Incorrect code name for cloned forms

    When cloning forms, the system didn't save the new form's code name correctly for the class representing the form. This could lead to inconsistencies, for example when selecting alternative forms of the cloned form.

    9.0.20
  • Modules - Insufficient error messages when installing module packages from newer versions

    Errors logged when attempting to install NuGet module packages created on a higher hotfix version than the target instance didn't contain sufficient information.

    9.0.20
  • Marketing automation - 'Move to specific step' selector not displaying all available steps

    When editing a process for a contact in 'Marketing automation -> Processes -> Contacts', the 'Move to the specific step' selector did not have a scroll bar for displaying all available steps.

    9.0.20
  • Form engine - Incorrect validation for 'Rich text editor' fields with a required value

    Validation didn't work correctly for form fields that were set as 'Required' and used the 'Rich text editor' form control. Values couldn't be saved if the only content was a void HTML tag (for example an image without any other content).

    9.0.20
  • Form controls - Selecting an Attachment group item via the 'more page types...' option did not work

    The 'Attachment field selector' form control did not save values selected via the 'more page types…' option. This affected the 'Attachment group' property of the 'Attachments data source', 'Page attachments', and 'Page attachments with effect' web parts.

    9.0.20
  • Data engine - Unit test error when filtering based on DateTime fields

    When running unit tests using the Kentico testing API, an error occurred when attempting to filter data of faked in-memory objects based on a DateTime field.

    9.0.20
  • API - Error when running automated tests for custom Info objects

    When creating automated tests for a custom module class (Info object) using the Kentico testing API, running multiple tests in sequence for the same Info object resulted in an error.

    9.0.20
  • Workflow - Notification email did not include comment text when using advanced workflow

    When moving pages to advanced workflow steps that allow entering a comment, the comment text was not included in the notification email.

    9.0.19
  • Pages - Page inconsistencies when calling the TreeProvider API in custom code

    Calling the TreeProvider API in custom code for a page could cause the system to use an incorrect cached version of the page's data in special cases. For example, this could cause the system to move customized pages under workflow into an invalid state after the undo checkout action was used.

    9.0.19
  • On-line forms - Form Items collection was cached incorrectly in macros

    When using the 'Items' property of form objects (BizFormInfo) in macros, the data was incorrectly cached. For example, when using the 'SiteObjects.Forms.FormName.Items' macro (where FormName is a code name of a form), the latest data wasn't returned.

    9.0.19
  • Continuous integration - Restoring of data failed when changing the page type of an existing page

    Restoring of pages using continuous integration failed if one of the restored pages already existed in the target database with the same name and location, but with a different page type.

    9.0.19
  • Contact management - Contacts unsubscribed from all email campaigns not updated in Contact groups, P

    When a contact unsubscribed from all email campaigns, the contact was not updated in Contact groups, Personas and Scoring using the macro rule "Contact is subscribed to a specified email campaign".

    9.0.19
  • Attachments - Custom 'Page not found' page was not returned for invalid page attachment URLs

    Invalid page attachment URLs did not return a custom 'Page not found' page (if configured for the site).

    9.0.19
  • AD Import - User setting fields not updated for existing users

    When updating existing users through the AD Import utility, user setting fields were not updated. User settings include the fields found on the 'Settings' tab when editing users (those stored separately in the CMS_UserSettings database table).

    9.0.19
  • Web analytics - Web analytics didn't work correctly with the Buddhist calendar during leap years

    When using the Buddhist calendar in the Thai culture, processing of page views logged by Web analytics got stuck on the leap year day, February 29.

    9.0.18
  • Portal engine - Shared layouts not read-only in the Page templates application

    When using shared layouts for page templates, the system incorrectly allowed editing of the selected shared layout on the Layout tab of the Page templates application.

    9.0.18
  • Pages - Incorrect Preview URL generated for pages based on the 'File' page type

    The Preview URL was incorrectly generated for pages based on the 'File' page type. Navigating to the generated Preview URL led to an 'Access denied' error.

    9.0.18
  • MVC - Missing Kentico files in MVC applications deployed to Azure Web Apps or via Web deploy

    When deploying MVC applications to Azure Web Apps or via Web deploy, the 'CMSDependencies' and 'CMSResources' folders were missing from the project.

    9.0.18
  • Media library - Broken preview image in the 'Media selection' form control when using cloud storage

    The 'Media selection' form control displayed a broken preview image on the Form tab of pages if the image was uploaded to a cloud storage.

    9.0.18
  • Macros - Format macro method not working correctly

    The 'Format' macro method didn't work correctly. The method is used to build text using composite formatting of string parameters.

    9.0.18
  • General - Clone wizards allowed non-unique DB table name values for cloned objects

    When cloning custom tables, page types, forms, or custom module classes, the system allowed assigning of existing 'DB table name' values to the cloned object. After deleting the clone, the original object could not be deleted from the administration interface.

    9.0.18
  • E-commerce - Coupon code wasn't visible when editing orders

    The applied product coupon code wasn't displayed when editing an order in the Orders application.

    9.0.18
  • Contact management - Customer registration activity logged for every purchase

    After applying hotfix 9.0.13 or newer, the 'Customer registration' activity was logged for every purchase. This activity is not used at all in the web part-based checkout process and is used only by the obsolete Checkout process web part.

    9.0.18
  • API - Error when running parallel automated tests in rare cases

    When running parallel automated tests using the Kentico testing API, a race condition error occurred in rare cases.

    9.0.18
  • Workflow - Save and Publish actions caused an error for pages with 'Time interval' fields

    Saving and publishing pages with fields of the 'Time interval' data type caused an error because the system used an incorrect format when loading the page data.

    9.0.17
  • Web parts - Incorrect redirection by the Custom registration form web part

    The 'Custom registration form' web part didn't redirect newly registered users to the URL specified in the 'Redirect to URL' property if a return URL parameter was present in the query string of the request's URL.

    9.0.17
  • Web analytics - Logging of web analytics causing an error in rare cases

    An error stating "Cannot write to a closed TextWriter" occurred when logging web analytics in certain cases (on sites under heavy load).

    9.0.17
  • Time zones - Incorrect current time in the date and time selector

    When opening the date and time selector for a field using the 'Calendar' form control, the default current time was incorrect if the time zone used on the client device was different than the server time zone configured on the Kentico instance.

    9.0.17
  • REST - Creation of users failed without setting the UserIsGlobalAdministrator field

    Creation of new users via the REST service failed if the data of the POST request did not specify a value for the 'UserIsGlobalAdministrator' field (this field should not be required). The problem occurred after applying hotfix 9.0.15.

    9.0.17
  • Pages - Setting a page alias to an unpublished page's alias path caused an error

    If an additional Page alias of a published page was set to the Alias path of an unpublished page, the system returned a 404 HTTP error for the given URL instead of displaying the published page on the live site.

    9.0.17
  • Page types - 'Pages' fields stopped working after changing the page type code name

    Changing the code name of a page type caused fields of the 'Pages' data type to stop working and not display previously added pages.

    9.0.17
  • Facebook connect - Missing information in email notifications about newly registered users

    When a user registered on a site using the 'Facebook Connect logon' web part, the email notifications sent to administrators about new users didn't contain the user's names and email address (even though the created user account contained the given data).

    9.0.17
  • Content Personalization - Editing items in the list of variants for web part zones

    When viewing the list of content personalization or MVT variants defined for a web part zone, clicking the edit action for a specific variant caused an error and closed the dialog.

    9.0.16
  • Web parts - Web part layouts not working on Microsoft Azure in certain cases

    When running on Microsoft Azure, an error occurred when loading instances of web parts with a non-default layout assigned, if the layout contained a comment in the "<%-- comment --%>" format.

    9.0.15
  • Web farms - Failed web farm synchronization for imported media files

    When importing media files into a site running in a web farm environment, the media files were not synchronized to other servers (the corresponding web farm tasks resulted in an error).

    9.0.15
  • Security - Users restored from the recycle bin with the Global administrator Privilege level

    When restoring deleted users from the recycle bin, the user's Privilege level was incorrectly set to Global administrator.

    9.0.15
  • Page types - Editing form property missing on the General tab

    The 'Editing form' property was missing on the General tab of the page type editing interface and could not be edited.

    9.0.15
  • Modules - Module class customization not working with continuous integration enabled

    When continuous integration was enabled, customization of search settings didn't work for the fields of system objects (the 'Customize' option didn't work on the 'Search' and 'Layout' tabs of classes in the Modules application).

    9.0.15
  • Licensing - Incorrect license limitation for the number of allowed blogs

    When counting the maximum number of allowed blogs for certain license editions (Base and Free), the system incorrectly included different language versions of the same blog page.

    9.0.15
  • Code generation - Invalid multi-line comments generated in the code of module classes

    When generating code for custom module classes, the system produced invalid code in the summary sections of properties for class fields that had a 'Description' containing line breaks. This could cause compilation errors after the code was saved.

    9.0.15
  • Web parts & controls - Missing text for the submit button in the My Account web part

    The submit button on the 'Personal settings' tab of the editing interface generated by the 'My Account' web had an empty text caption.

    9.0.14
  • Scheduler - Scheduled task errors when using the external scheduler with multiple sites

    When using the external scheduler on instances with multiple sites, global tasks could be started multiple times in certain cases. This could cause "File not found" errors when running the 'Process analytics log' task.

    9.0.14
  • Pages - Changing a field set as the Page alias source field did not update Page alias

    Changing the value of a custom field set as the 'Page alias source field' of a page type did not update the 'Page alias' of a page.

    9.0.14
  • General - Posting data caused an error on pages using output caching

    An error occurred when posting data to the server (e.g. submitting forms) on pages that were served from the output cache. The problem was caused by a missing security token (cross site request forgery protection), which was not stored correctly in the browser when loading pages from the output cache.

    9.0.14
  • Debug - ViewState debug displaying controls with disabled ViewState

    The ViewState debug incorrectly displayed values for controls that had ViewState disabled (using ViewStateMode="Disabled"). Also, the 'Total size' value was not displayed in the ViewState debug on the live site if the 'Move ViewState to the end of the page' setting was enabled.

    9.0.14
  • Content Personalization - Adding personalization variants to layout web parts

    It was possible to add content personalization or MVT variants for layout web parts. This scenario is not supported and the option is now hidden for layout web parts.

    9.0.14
  • API - The ICurrentContactProvider interface couldn't be easily implemented

    Interfaces used in the DefaultCurrentContactProvider class, the default implementation of the ICurrentContactProvider interface, were originally marked as internal (for example IContactValidator). After applying the hotfix, the interfaces are public, which makes it easier to create custom ICurrentContactProvider implementations.

    9.0.14
  • Widgets - Adding of widgets to widget dashboards did not work correctly

    An error ocurred when adding widgets to widget dashboards (e.g. My Desk) when the 'Use check-in/check-out for objects' setting was enabled.

    9.0.13
  • Scoring - Contact list sorting in the Scoring application didn't work

    Sorting by columns on the Contacts tab in the Scoring application didn't work as expected.

    9.0.13
  • Performance - Unnecessary SQL queries when On-line marketing was enabled

    When On-line marketing was enabled, the system performed unnecessary SQL queries when creating contacts, particularly when also using campaign tracking. The problem was caused due to insufficient caching.

    9.0.13
  • Performance - User agent logging couldn't be disabled for contacts

    It wasn't possible to disable logging of user agents for contacts in 'Settings -> On-line marketing -> Contact management'. Logging of user agents can now be disabled or enabled together with logging of IP addresses.

    9.0.13
  • Pages - Compare feature removed for content only sites in Preview mode

    An error occurred when attempting to compare language versions of content only pages in Preview mode for content only sites. After applying the hotfix, the Compare feature is no longer available for content only sites.

    9.0.13
  • Object versioning - Restoring multiple objects within a category from the recycle bin

    Restoring of objects from the recycle bin did not work correctly for objects that belong under the same category object. Restoring of the first object succeeded, but an error occurred when attempting to restore other objects belonging to the same category.

    9.0.13
  • Groups - Special characters incorrectly encoded in the subject of group notification emails

    Special characters in a group's 'Display name' were incorrectly encoded in the subject of group notification emails.

    9.0.13
  • E-commerce - Product variants ignored min/max items limitations

    When buying variants of products, the limitations of minimum and maximum numbers of units in one order weren't checked. This enabled customers to bypass these limitations and buy unpermitted amounts of product.

    9.0.13
  • E-commerce - Product properties updated only in the default culture

    When modifying product properties on a multilingual site, values weren't saved if the selected culture was different than the site's default culture.

    9.0.13
  • Contact management - Customer registration activity wasn't logged

    The customer registration activity wasn't logged in the checkout process. Customer membership wasn't created for the contact.

    9.0.13
  • Web farms - Non-existing query called during web farm synchronization in certain cases

    If an error occurred during the synchronization of a web farm task, the system attempted to call a non-existing query in certain cases, which generated an unrelated error. After applying the hotfix, synchronization errors are correctly recorded into the result of the corresponding task.

    9.0.12
  • Page types - Default 'Name' field was not shown on the Form tab of pages

    If the 'Required' flag was disabled for a field set as the 'Page name source field' of a page type, the system did not correctly switch the page name source to an extra field (the Page name source field selector was updated, but the actual value was not changed). As a result, the default 'Name' field was not shown on the Form tab of pages in these scenarios.

    9.0.12
  • Output filter - Empty responses returned if the Content-Type was not 'text'

    After applying hotfix 9.0.4 or newer, the application returned empty responses in certain cases if the Content-Type was different than the 'text' subtype (for example REST or Web API responses). The problem occurred only for URLs covered by the system's output filter.

    9.0.12
  • Macros - Open macros rewritten into an internal format after re-signing

    When resigning macros in System -> Macros -> Signatures with an 'Old salt' value specified, macro expressions containing open conditions or loops were incorrectly rewritten into an internal format that was difficult to read. After applying the hotfix, you need to re-save any open macros where the problem occurred.

    9.0.12
  • Hotfix - Incorrect assembly version when hotfixing source code projects

    Hotfixes did not update the assembly version information stored in the GlobalAssemblyInfo.cs file. This could cause incorrect and confusing version numbers for assemblies when compiling the source code edition of Kentico.

    9.0.12
  • Continuous integration - Serialized data not updated after editing page type fields

    After saving changes to the fields of a page type, the continuous integration solution did not correctly update the serialized data representing the given page type in the 'CIRepository' folder. The problem occurred after applying hotfix 9.0.8 or newer.

    9.0.12
  • Continuous integration - Missing information for errors that occurred when restoring CI data

    If an error occurred when restoring continuous integration data to the database, the API (and ContinuousIntegration.exe utility) did not provide sufficient information about the source of the problem.

    9.0.12
  • Campaigns - Incorrect browser-specific validation messages in the campaign editing form

    Some browsers displayed browser-specific validation messages within the campaign editing form (the form's 'novalidate' attribute was not specified).

    9.0.12
  • API - 'Attachment' property not initialized for the WorkflowEventArgs argument of event handlers

    When using global event handlers based on the 'SaveAttachmentVersion' or 'RemoveAttachmentVersion' events from the WorkflowEvents class, the 'Attachment' property of the WorkflowEventArgs argument was not initialized.

    9.0.12
  • AD Import - Import not removing domain roles correctly when updating users

    When updating users, the AD Import utility did not remove assigned domain roles in cases where the user was no longer a member of the corresponding group in the Active Directory domain.

    9.0.12
  • Search - Incorrect search results for pages containing editor widgets

    'Pages' type smart search indexes incorrectly contained the full property definitions of editor widgets placed on the covered pages, including metadata. This could affect the accuracy and relevance of search results. After applying the hotfix, only the content of 'text' or 'long text' widget properties is indexed.

    9.0.11
  • Pages - Publishing pages under workflow set the Sitemap priority to 'Lowest' from 'Normal'

    When publishing pages under workflow that used the 'check-in/check-out' feature, their Sitemap priority property (Page properties -> Navigation -> Search & SEO) was set to 'Lowest' if the original value was 'Normal'.

    9.0.11
  • Page types - Error when deleting 'File' page type fields without database representation

    Deleting a Field without database representation with its Data type set to 'File' in the Page types application caused an error.

    9.0.11
  • Marketing automation - 'Internal search' or 'External search' activity not starting marketing automa

    Marketing automation triggers based on the 'Internal search' or 'External search' activity didn't work (the marketing automation process was not started for contacts who performed the activity).

    9.0.11
  • Macros - Macro autocomplete help not displaying methods correctly in certain cases

    The macro autocomplete help didn't display the list of available methods correctly for macro namespaces and objects if one of the method's names contained the name of the given namespace or object.

    9.0.11
  • General - Error when the On-line marketing component wasn't installed

    On installations without the 'On-line marketing' component, visiting the live site could result in error after applying the 9.0.10 hotfix.

    9.0.11
  • Cultures - Error when accessing untranslated pages

    When the 'Combine with default culture' setting was enabled, accessing a page in an untranslated culture resulted in an error, instead of displaying the default culture version of the page. The error only occurred after applying hotfix 9.0.10.

    9.0.11
  • Campaigns - Campaign statistics and conversions not logged for cached pages

    Campaign statistics and conversions weren't logged when accessing cached pages (using output caching). The error only occurred after applying the 9.0.10 hotfix.

    9.0.11
  • Web parts & controls - Wrong transformation used for pages with an underscore in their Page alias

    When displaying the details of pages with an underscore character in their Page alias, listing web parts used the Default transformation instead of the Selected item transformation.

    9.0.10
  • Social Marketing - License error when collecting social media data using the external scheduler

    When running the scheduled tasks for collecting Facebook and Twitter insights using the external scheduler, a license limitation error occurred, even though the correct license was available.

    9.0.10
  • Scheduler - Infinite loop when planning the next run time of scheduled tasks in rare cases

    Planning of the next run time for scheduled tasks resulted in an infinite loop in rare cases. This could cause very high CPU usage on the server.

    9.0.10
  • Pages - 'Parent' property of TreeNode objects did not include the data of page type fields

    When accessing the 'Parent' property of page (TreeNode) objects in macros or transformations, the parent element did not contain data for the fields of specific page types.

    9.0.10
  • Licensing - Web farm license limitation errors with disabled web farms

    Web farm license limitation errors were logged into the event log in certain cases, even if web farms were disabled and the system did not contain a license supporting web farms.

    9.0.10
  • Import/Export - Export packages containing bindings between objects from the wrong site

    When creating export packages on instances with multiple sites, the exported data could contain bindings between objects from the wrong site in rare cases.

    9.0.10
  • General - Redirects to Kentico project files when initializing the Kentico API externally

    When initializing the Kentico API in an external application, the system incorrectly attempted to redirect to pages located within the Kentico project files in certain cases (for example when handling errors). These pages typically do not exist in external applications.

    9.0.10
  • Files - Special characters in filenames were encoded on download in webkit-based browsers

    When downloading a file from the content tree in a webkit-based browser, its filename was encoded if it contained special characters (i.e. data,file.txt was encoded to data%2cfile.txt).

    9.0.10
  • Email marketing - Unsubscribtion confirmation email not sent to contact group subscribers

    Subscribers who were subscribed to an email campaign as part of a contact group didn't receive a confirmation email when they unsubscribed from the campaign.

    9.0.10
  • E-commerce - Changing the main currency caused exceptions

    If the recalculated prices after changing the main currency were close to zero, transformations on the live site could have rounded the number to zero and then thrown exceptions because of dividing by zero.

    9.0.10
  • Continuous integration - Binding objects not tracked when creating new sites

    The continuous integration solution did not track the creation of binding objects when adding new sites using the wizard in the Sites application.

    9.0.10
  • Campaigns - Page variants in A/B tests not displayed as part of campaigns

    Conversions of alternative page variants of A/B tests weren't displayed among reports in the Campaigns application.

    9.0.10
  • API - MultiDocumentQuery API ignored ordering when using the 'Page' method

    When using the MultiDocumentQuery API, calling the 'Page' method caused the query to ignore ordering specified through 'OrderBy' methods.

    9.0.10
  • Web parts - Paging not working for Universal viewer with custom query in certain cases

    Paging didn't work when using the 'Universal viewer with custom query' web part if the 'Load individual pages' property was enabled and the 'Cache item name' property was set to a custom value.

    9.0.9
  • Web farms - Resource string content not synchronized correctly on web farms

    When running in a web farm environment, updates to the content of resource strings didn't invalidate the resource strings cached on other servers in the web farm. As a result, old resource string content was displayed until the cache was cleared for the given server.

    9.0.9
  • User interface - Username pre-filled in the application list search box in Chrome

    When viewing the application list in the Chrome browser, the search box was pre-filled with the current user's username if the login credentials were saved in the browser and the Chrome Autofill feature was enabled.

    9.0.9
  • Staging - Links missing in the titles of page tasks in the 'Staging' application

    When viewing staging tasks on the 'Pages' tab of the 'Staging' application, the titles of the listed tasks did not provide clickable links to the related pages.

    9.0.9
  • Scheduler - Scheduled tasks with a monthly interval not running

    Scheduled tasks with the 'Period' property set to 'Month' were not planned correctly (the system did not set a 'Next run' time).

    9.0.9
  • Continuous integration - Child pages of linked pages not updated correctly

    Child pages of linked pages weren't updated by the continuous integration solution when the source page of the link or one of its ancestors was renamed, moved or deleted.

    9.0.9
  • Web parts - Paging not working for Universal viewer web parts with certain configurations

    'Universal viewer' and 'Universal viewer with custom query' web parts caused an error if Paging mode was set to 'Postback' and the Pager position was set to 'Bottom' or 'Top and bottom'.

    9.0.8
  • Search - Pages with an excluded parent not indexed correctly

    Page search indexes didn't work correctly if the indexed content included pages whose parent was excluded. When the content of such pages changed, the search index wasn't updated.

    9.0.8
  • Pages - Owner of content only pages could not be changed in the Pages application

    Saving changes made to the Owner field of content only pages on the General tab in the Pages application caused an error.

    9.0.8
  • Pages - Scripts used in the administration UI were loaded on the live site

    Scripts used in the administration UI were loaded on the live site in anonymous sessions when not required.

    9.0.8
  • Page types - 'Assigned objects -> Page types' tab not working in the Sites application

    When editing sites in the Sites application, it wasn't possible to assign or remove page types for the site on the 'Assigned objects -> Page types' tab.

    9.0.8
  • Macros - Where macro method not resolved correctly in transformations

    When calling the 'Where' macro method for a collection of objects within a text transformation, the method worked correctly only for the first item to which the transformation was applied.

    9.0.8
  • Email marketing - Duplicate scroll bar displayed when creating new emails

    When creating or modifying campaign emails, a duplicate scroll bar was displayed on the screen.

    9.0.8
  • Continuous integration - Page data not updated after renaming a page type field

    After renaming a field of a page type, the continuous integration solution did not update the serialized data representing pages of the given type (i.e. the 'fields.xml' files of individual pages stored in the 'CIRepository' folder).

    9.0.8
  • Attachments - Attachments of page culture versions were not restored correctly

    When restoring culture versions of pages from the recycle bin, attachment files stored in page fields were not restored correctly.

    9.0.8
  • Search - Search crawler not indexing sites with an invalid security certificate

    The smart search crawler does not index pages on HTTPS sites without a certificate from a trusted authority. If you need to use self-signed certificates, you may override the certificate validation by adding the <add key="CMSSearchCrawlerAcceptAllCertificates" value="true" /> key to your web.config.

    9.0.7
  • On-line forms - Form database tables not deleted with sites

    When deleting a site, the system did not remove the database tables storing the data of forms assigned to the given site.

    9.0.7
  • Macros - Editable text web part property did not resolve macros in on-site edit mode

    The 'HTML editor toolbar set' property of the Editable text web part did not resolve macros in on-site edit mode.

    9.0.7
  • Email marketing - Link tracking records stored with inconsistent letter case in the database

    When using link tracking for campaign emails, the system didn't consistently store the links in lower case in the database. The issue does not affect the link tracking functionality and was only fixed for the purposes of consistency.

    9.0.7
  • Blogs - Adding the Blogs application live tile to a user's dashboard caused an error

    When the Blogs application live tile was added to a user's dashboard, the system could not retrieve the number of blog posts and caused an error.

    9.0.7
  • Blogs - Error when selecting sites for the Blog comments widget

    When configuring the 'Blog comments' widget, an error occurred after changing the value of the 'Site name' property. In general, the problem could be triggered by postbacks during the configuration of any web part or widget with a property based on the 'Blog name selector' form control.

    9.0.7
  • API - ProductOptionSelector didn't contain a setter for the SKU property

    The SKU property of the 'ProductOptionSelector' control didn't contain a setter. Selecting an option's SKU with the control therefore required an unnecessary database request when getting the SKU with its ID.

    9.0.7
  • E-commerce - Inapplicable payment methods could have been used for orders

    Orders could have been created with a payment method which wasn't applicable when no shipping was required.

    9.0.7
  • Staging - Staging tasks not logged for pages under workflow with a publish from date

    If a page under workflow had the "Publish from" date set in the future, editing the page and moving it to the published step did not log a corresponding "Publish page" staging task (the task was logged only after the publish date). After applying the hotfix, the staging task is logged immediately, which allows synchronization of the page's published state with a set "Publish from" date.

    9.0.6
  • Portal engine - HTML envelope displayed for invisible web parts in on-site editing mode

    When using on-site editing mode as an editor without the administrator privilege level, content defined through the 'HTML envelope' properties of web parts was incorrectly displayed for web parts that were not visible.

    9.0.6
  • Pages - Error when displaying related pages assigned through content modeling with specified columns

    An error occurred when using listing web parts to display related pages defined through a field of the 'Pages' type (advanced content modeling) in combination with columns specified in the Columns property.

    9.0.6
  • On-line forms - Date type fields included time values in form notification and autoresponder emails

    Email notifications about new data records submitted for forms and autoresponder emails incorrectly displayed time values for fields of the 'Date' data type (in addition to the entered date).

    9.0.6
  • Modules - Child UI elements not restored from the recycle bin with their parent

    After deleting a UI element with child elements, the child elements were not displayed in the recycle bin. Restoring the parent did not restore the child elements.

    9.0.6
  • Avatars - Avatar selector did not save updated avatar images

    When replacing existing avatar images, the new image was not saved if uploaded directly after the old image was removed without first submitting the change.

    9.0.6
  • API - Database timeout errors for isolated integration tests

    Automated tests inheriting from the 'CMS.Tests.IsolatedIntegrationTests' base class failed due to database timeout errors under certain circumstances.

    9.0.6
  • Web analytics - Unnecessary web analytics requests for searches with empty keywords

    When using web analytics, the system generated unnecessary SearchLogHit requests when searches with empty keywords occurred on the site.

    9.0.5
  • Staging - Staging of page updates not working for license editions lower than EMS

    An error occurred when synchronizing "Update page" staging tasks on instances without an EMS license (Ultimate or lower).

    9.0.5
  • Search - Incorrect search result highlighting when using custom handling of diacritics

    Highlighting of keywords in smart search results didn't work correctly when using the 'TextHelper.OnBeforeRemoveDiacritics' event to customize handling of diacritics in a way that replaces special characters with a string of a different length. Note that the search does not highlight text with diacritics in scenarios where the search keywords contain the equivalent string without diacritics (even after applying the hotfix).

    9.0.5
  • Scheduler - Incorrect late execution warnings for external scheduled tasks

    Scheduled tasks configured to be executed by the external scheduling service incorrectly displayed warnings about late execution in certain cases.

    9.0.5
  • Pages - Culture version of a page could not be restored from the recycle bin

    Restoring culture versions of pages from the recycle bin could cause an error if the first restored version was not in the site's default culture.

    9.0.5
  • Macros - ToString macro method not applying formatting strings for date values

    When calling the 'ToString' macro method for DateTime or TimeSpan values with a formatting string parameter, the specified format was not applied to the result.

    9.0.5
  • Email marketing - Check bounced emails task not working with the external scheduling service

    The 'Check bounced emails' scheduled task does not work when executed using the external scheduling service. Applying the hotfix disables the 'Use external task' property for the task on all existing sites. If you use the external scheduling service, you may need to manually disable the property for new instances of the task after creating or importing a new site.

    9.0.5
  • E-commerce - Error when creating orders on installations without On-line marketing

    On installations without the 'On-line marketing' component, an error occurred when adding a new customer during the creation of an order in the 'Orders' application.

    9.0.5
  • Controls - Invalid messages displayed by the multi-file uploader control

    The 'MultiFileUploader' control displayed an invalid message in scenarios where the number of uploaded files exceeded the maximum allowed number set through the 'MaxNumberToUpload' property.

    9.0.5
  • Contact management - Removing all accounts from a contact group with a separated database

    When using a separated on-line marketing database, the action for removing all accounts from a contact group didn't work and an error was logged into the event log.

    9.0.5
  • Caching - Web parts with a page data source losing cached data

    Web parts containing a page data source (for example the 'Repeater' or 'Universal viewer') could lose their cached data in scenarios where a custom value was set for the 'Cache item name' property. The problem usually only occurred on sites with heavy traffic.

    9.0.5
  • Authentication - Authentication not working after setting the CMSUserSaltColumn key

    Authentication of users did not work after setting the 'CMSUserSaltColumn' web.config key to a custom value.

    9.0.5
  • API - Automated tests fail when located outside the Kentico solution folder

    Automated tests inheriting from any of the CMS.Tests base classes failed when located in a project outside of the Kentico solution folder (CMS).

    9.0.5
  • API - Error when calling TreeProvider.SelectNodes for multiple page types

    Calling the 'TreeProvider.SelectNodes' method resulted in an error if the parameters were configured to retrieve multiple page types and a data column shared by at least two of the page types.

    9.0.5
  • Scheduler - Error in the scheduled task list when using the external scheduling service

    An error occurred when loading the list of scheduled tasks if any task had its "Period" property set to "Once" and was configured to be processed by the external scheduling service.

    9.0.4
  • REST - Hash authentication parameter not working in certain cases

    When generating authentication hash parameters in 'Settings -> Integration -> REST', the system produced invalid hash values for certain types of URLs.

    9.0.4
  • On-line forms - Date type field entries included time in recorded data

    Entries in fields of the 'Date' data type incorrectly displayed time in addition to the entered date on the 'Recorded data' tab of the form editing interface. Use the 'Date and time' data type for recording both date and time in one field.

    9.0.4
  • Modules - 'Save as new page template' action not working correctly for UI elements

    The 'Save as new page template' dialog did not work correctly when editing UI elements in the Modules application.

    9.0.4
  • Widgets - Values in widget properties overwritten in certain cases

    Widget properties were initialized in an incorrect life cycle phase. This caused the View State values to be overwritten by the initial values in certain cases.

    9.0.3
  • Users - Error when deleting the default administrator user account

    An error occurred when attempting to delete the default global administrator user account. After applying the hotfix, the system blocks the deletion and provides information about the need to first set a different default administrator through the 'Settings -> System -> Default user ID' setting.

    9.0.3
  • UniGrid - Resource strings not localized in column tooltips

    The tooltips of columns in object listings provided by the UniGrid component did not localize resource strings in the displayed text (even if localization was allowed for the given column in the grid definition).

    9.0.3
  • Sites - Ad-hoc master templates incorrectly displayed in the new site wizard

    When creating a site through the new site wizard, the master page selection step incorrectly displayed ad-hoc master templates. Only shared master templates are offered for selection after applying the hotfix.

    9.0.3
  • Portal engine - Direct pager in the query universal viewer web part not changing values

    The direct page selector used by the 'Universal viewer with custom query' web part did not behave correctly after setting 'Paging mode' to 'Postback', enabling 'Use update panel' and changing values using the 'directPageControl' control (used in the 'CMS.PagerTransformations.General-DirectPage' transformation).

    9.0.3
  • Pages - The URL of a page under a workflow changed immediately when page name changed

    When the page name of a page was changed, the change was immediately reflected to the published page URL. This happened only when the 'Use name path for URL path' setting was enabled.

    9.0.3
  • On-line Marketing - The design of the Database separation dialog was broken

    The design of the dialog used when separating the contact management database was broken.

    9.0.3
  • On-line Marketing - Access denied error when accessing specific tabs in the Pages application

    The 'A/B tests', 'MVT tests', and 'MVT variants' tabs in the Pages application were incorrectly available on licenses lower than EMS. Opening them caused an 'Access denied' error.

    9.0.3
  • On-line forms - File links in form notification emails weren't working

    Form notification emails contained broken links to files submitted in the form.

    9.0.3
  • Object versioning - Objects restored from the recycle bin could overwrite existing objects

    Objects restored from the recycle bin could overwrite existing objects with the same code name in certain cases. The system now always informs users that an object with the same code name already exists and must be changed before restoring.

    9.0.3
  • Modules - Ad-hoc page templates not deleted with UI elements

    When a UI element with content defined through an ad-hoc page template was deleted, the system did not automatically delete the given template.

    9.0.3
  • E-commerce - Shopping cart API method returned inverted results

    The 'CartCanBeUsedOnSiteInternal' method from the 'ShoppingCartInfoProvider' class returned an inverse result to what was specified in the description. This could cause issues if used for customization.

    9.0.3
  • Debug - Erorr on the System objects debug tag after recalculating scores

    An unhandled error occurred on the 'System objects' tab in the Debug application in certain cases after the recalculation of an on-line marketing score.

    9.0.3
  • Contact management - Changed the target of a documentation link

    A link in the contact management application displayed in a message informing about inactive contact deletion now leads to a more relevant documentation page.

    9.0.3
  • Application dashboard - Unwanted event log errors when viewing the dashboard with an offline site

    When viewing the application dashboard while the currently selected site was offline, the dashboard tiles logged a large number of unwanted errors into the system's event log.

    9.0.3
  • Continuous integration - Continuous integration restore not logging staging and integration bus task

    When restoring continuous integration data to the database, staging and integration bus tasks were not logged for the changes made to objects.

    9.0.3
  • Web analytics - GoogleBot not included in page hit statistics

    GoogleBot was not included in page hit statistics when the 'Exclude search engines' setting was disabled.

    9.0.2
  • Reporting - Incorrectly set graph legend position in 'Countries - Weekly report'

    The 'Countries - Weekly report' chart had a typo in the display name and the graph displayed no legend.

    9.0.2
  • Reporting - Incorrect data in certain 'Top landing pages' reports

    Certain 'Top landing pages' reports in the Reporting application displayed incorrect data.

    9.0.2
  • Modules - Creating ad-hoc page templates for unsaved UI elements

    When creating new UI elements for custom modules, the 'Clone template as ad-hoc' was incorrectly displayed if a template was selected for the element content before the element was saved. Creating ad-hoc templates for unsaved elements does not work correctly and causes errors.

    9.0.2
  • Image editor - Cropping in the image editor not working correctly

    Cropped image values were not deleted when switching from the 'Crop' tab. This caused an error when performing resizing of the image afterwards.

    9.0.2
  • Forums - Missing background images on the 'View' Forums tab

    Background images were not loaded when viewing a forum on the 'View' tab in the Forums application.

    9.0.2
  • Forums - Couldn't create forums when using a Base license

    Creating forums was not possible when using Kentico with a Base license.

    9.0.2
  • Email marketing - Emails couldn't be created without an EMS license

    When using a license other than EMS, creation and editing of email campaign emails led to an 'Access denied' error.

    9.0.2
  • Email marketing - Opt-out list innaccessible due to an incorrect permission check

    Accessing the 'Opt-out list' tab in the Email marketing application could result in an 'Unable to render embedded object' error. This was caused by an incorrect permission check.

    9.0.2
  • Continuous integration - Incorrectly updated DocumentUrlPath when restoring pages

    The 'DocumentURLPath' field value was cleared when restoring multilingual pages using Continuous integration.

    9.0.2
  • Contact management - Not all contact data available when exporting contacts

    When exporting raw database data from the OM_Contact table via the administration UI, the Advanced export dialog did not list all the database table columns.

    9.0.2
  • Campaigns - Error on the Report tab in special cases

    Switching to the Report tab caused an error if the pages assigned to the campaign used two or more conversions with the same display name.

    9.0.2
  • Campaigns - Users could launch a campaign with no display name

    Users could launch a marketing campaign with no display name filled in certain scenarios.

    9.0.2
  • Attachments - Retrieving page attachments didn't work in certain cases

    Retrieving attachments via the 'TreeNode.GetFieldAttachments' method did not work when working with an 'Attachments' page type field that used a singular form in its 'Field name'. For example, the problem occurred when retrieving attachments via generated code from a page type field with the 'ArticleImage' field name and 'Attachments' data type.

    9.0.2
  • API - Site binding incorrectly overwritten after assigning a parent object

    When assigning a parent object to a site binding object, the site referenced within the binding was incorrectly overwritten if the parent object had its own SiteID column with a different value. For example, the problem could occur when using the API to assign a page template parent to a template-site binding.

    9.0.2
  • Amazon S3 - Site export not working with external file system storage providers

    The export wizard stopped working in certain cases when exporting sites on instances using an external file system storage provider, such as Amazon S3 or Azure Blob storage.

    9.0.2
  • WYSIWYG editor - Invalid image sources in rare cases when using the editor on the live site

    When working with the HTML editor on the live site (for example with User contributions), images whose source contained content other than a URL were saved in an invalid format.

    9.0.1
  • Web farms - Delayed licensing errors for the number of allowed web farm servers

    The license check for the number of allowed web farm servers was cached incorrectly, which could cause the system to display licensing errors with a delay when a server was added over the allowed limit.

    9.0.1
  • Users - Site-specific email templates not used when editing user passwords

    When editing users on the Password tab in the Users application, the system always used global email templates for the changed password notification emails sent to the users, even if site-specific templates were defined.

    9.0.1
  • User interface - Incorrect invalid input styling in the Campaigns application for IE11

    When editing campaigns in the 'Campaigns' application in Internet Explorer 11, fields with invalid input were styled incorrectly after adding existing emails or pages.

    9.0.1
  • User interface - Fields hidden behind information messages when editing transformations

    Information messages displayed in the transformation editing interface covered the editing form's fields in certain cases.

    9.0.1
  • Staging - Task filter not applied correctly for 'Synchronize all' and 'Delete all' actions

    When the list of tasks in the Staging application was filtered based on User, Group or Type values, the 'Synchronize all' and 'Delete all' actions were applied to all tasks instead of just the filtered sub-set.

    9.0.1
  • Reporting - Incorrect default values in certain 'Browser capabilities' reports

    Certain 'Browser capabilities' reports in the Reporting application displayed incorrect values. The Web analytics application was not affected.

    9.0.1
  • Reporting - Incorrect data in certain 'Top exit pages' reports

    Certain 'Top exit pages' reports in the Reporting application displayed incorrect data.

    9.0.1
  • Pages - URL Path inconsistent with page name path

    The 'URL path' of a page was not consistent with the 'Name path' in certain cases when using the 'Use name path for URL path' setting.

    9.0.1
  • Pages - Missing attachments for pages restored from the recycle bin

    Attachments of deleted pages were not stored in the recycle bin, which led to missing attachments for restored pages.

    9.0.1
  • Microsoft Azure - Building Azure projects failed

    Building an Azure project without packaging the project displayed an error in Visual Studio even though the build succeeded.

    9.0.1
  • Macros - Invalid macro signatures after editing page templates on the 'Web parts' tab

    When saving content on the 'Web parts' tab of a page template in the 'Page templates' application, certain types of macros in the web part content became invalid.

    9.0.1
  • Groups - Incorrectly displayed 'New message' dialog when editing a group message board

    The 'New message' dialog used when editing a group message board displayed incorrectly.

    9.0.1
  • Form controls - Page data rewritten when updating 'Intranet department' pages

    The 'Department sections manager' form control caused loss of editable region content when updating pages of the the 'IntranetPortal.Department' page type.

    9.0.1
  • Form controls - Uni selector in multiple mode with a vertical bar separator

    The 'Uni selector' form control didn't work correctly in certain scenarios when using multiple selection mode and the vertical bar character ('|') as the values separator. For example, the 'Remove selected' button removed even items that weren't selected.

    9.0.1
  • E-commerce - New products always saved with default departments if available

    If a new product was created based on a product page type with a specified default department and the department was changed when creating the product, the default department was used anyway.

    9.0.1
  • Campaigns - Missing campaign link in email reports

    The UTM campaign code on campaign email 'Overview' tab did not work as a link.

    9.0.1
  • Campaigns - Campaign related conversion statistics weren't logged

    Campaign related conversion statistics were not logged on the 'Details' tab of conversions.

    9.0.1

Hotfixes for 8.x

Fixed Bugs
  • Bug DescriptionFixed in version
  • Security - Security improvements

    Added security improvements to the application.

    8.0.23
  • Security - Security improvements

    Added security improvements to the application.

    8.1.19
  • Security - Security improvements

    Added security improvements to the application.

    8.2.50
  • Security - Security improvements

    Added security improvements to the application.

    8.2.49
  • Security - Cross-site scripting in the administration UI

    Device profile previews and the page displaying the administration interface (UIPage.aspx) were vulnerable to cross-site scripting attacks.

    8.2.48
  • Settings - Macros stopped working after saving in the settings application

    When re-saving existing macros with security signatures in the 'Settings' application, the macro was stored in an invalid format and stopped working.

    8.2.47
  • Macros - Macros containing 'I' characters not resolved correctly in the Turkish culture

    Macros containing "I" or 'i' characters were not resolved correctly within the context of the Turkish culture.

    8.2.47
  • Workflow - UI not refreshed after a page rollback

    The panel at the top of a page was not refreshed after rolling back a version of a page.

    8.2.46
  • Web analytics - Internet Explorer in compatibility mode not recognized correctly

    When using Internet Explorer in compatibility mode, web analytics logged statistics for the browser's compatibility version, not the real one.

    8.2.46
  • Search - Unnecessarily large smart search indexes

    The smart search incorrectly stored the Content field within index files, which resulted in unnecessarily large files and lower indexing performance. If you need to view the Content field when inspecting or debugging index files, you can revert the change by adding the <add key="CMSSearchStoreContentField" value="true" /> key to your web.config and rebuilding the index.

    8.2.46
  • Health monitoring - Incorrect number of logged errors and warnings

    The health monitoring counters that track the number of event log errors and warnings incorrectly counted asynchronously logged items twice.

    8.2.46
  • General - Service errors when starting the application

    Service initialization errors could occur in rare cases if the site came under load during the initialization of the application (for example after the application pool was recycled).

    8.2.46
  • Form controls - Label associated with certain form controls generated invalid HTML markup

    The labels associated with the 'Radio buttons' and 'Multiple choice' form controls were generated with invalid markup according to HTML5 validators.

    8.2.46
  • Files - Insert image or media dialog not reflecting user's Starting alias path

    The 'Insert image or media dialog' did not reflect the user's 'Starting alias path' when selecting files on the 'Content tab'. The root page was always selected when first opening the dialog instead.

    8.2.46
  • Categories - The order of page categories wasn't preserved after an import

    The order of page categories was not preserved after an import.

    8.2.46
  • Workflow - Editing a page from a different domain via the Workflows application redirected to an inc

    Editing a page from a site on a different domain through the Pages tab in the Workflows application redirected the user to a URL with an incorrect domain.

    8.2.45
  • Widgets - Widgets couldn't be saved on pages with invalid image URLs

    Widgets could not be saved on pages that contained invalid image URLs (without the ~ or / character). The save operation resulted in a failed view state validation error.

    8.2.45
  • Translation services - Error when sending linked pages for translation via a translation service

    Sending linked pages for translation via translation services did not work and the system displayed a 'No culture to translate from' error.

    8.2.45
  • Object versioning - Invalid page after canceling a rollback in the version comparison dialog

    When rolling back an object or page to a previous version in the version comparison dialog, users were redirected to an invalid address if they clicked Cancel in the confirmation dialog.

    8.2.45
  • Media library - Using the TAB character in media library folder names caused an error

    Creating a new media library and using the TAB character in the 'Folder name' value caused an error when the folder was created.

    8.2.45
  • Media library - Error when using a preferred content culture that had no translated pages

    An error occurred on the 'Files tab' in the Media library application when using a preferred content culture that had no pages translated. This only happened when using Windows authentication.

    8.2.45
  • General - Problems with the <location inheritInChildApplications="false"> web.config tag

    Instances with a <location inheritInChildApplications="false"> tag in their root web.config file weren't handled correctly. For example, an error occurred when attempting to open such instances in external utilities (such as the 'Kentico Service Manager' or when using the 'Modify' option in the installer) and the system failed to write connection strings into the web.config.

    8.2.45
  • Event log - Page not found events were logged without the SiteID value

    Page not found events were logged without the SiteID value in the Event log.

    8.2.45
  • Contact management - A/B variants and MVT combinations not saved in Page visit activities

    A/B test variant and MVT combination information was not saved to Page visit activities when using JavaScript to log analytics and activities.

    8.2.45
  • Caching - Error when running the scheduled task for cleaning old cache files

    When using the file system output cache, running the 'Delete old file system cache files' scheduled task resulted in a "Directory is not empty" error in certain cases.

    8.2.45
  • General - Content-Length header missing in GetResource.ashx responses

    The 'GetResource.ashx' handler didn't set the 'Content-Length' HTTP header when responding to file requests.

    8.2.44
  • Contact management - Error when geolocating certain IP address ranges

    When trying to retrieve geolocation data from specific IP address ranges, an 'Index was outside the bounds of the array' error occurred.

    8.2.44
  • Pages - Changing a page template published content in certain cases

    Changing the template of a page under workflow using 'Clone template as ad-hoc' propagated unpublished content to the page's published version.

    8.2.43
  • Email marketing - Complex subscriber macros weren't resolved

    Complex macros working with the 'Subscriber' object did not resolve correctly when sending campaign emails.

    8.2.43
  • UI personalization - Access denied in the 'Manage user roles' dialog

    If UI personalization was enabled, access to the 'Manage user roles' dialog in the Users application was denied for users without the administrator privilege level (even if the user had the required permissions and UI personalization settings).

    8.2.42
  • On-line forms - Primary ID field macro not working in the 'Redirect to URL' field

    Macros for loading the value of a form's primary ID field (for example '{%FormID%}') didn't work correctly when inserted into the 'Redirect URL' field on the form's General tab. The macro always returned '0'.

    8.2.42
  • Form controls - Culture-dependent values of form control properties not loaded

    Form control properties with a culture-dependent data type (such as date or decimal number) didn't load their values correctly in the 'Editing control settings' section of the field editor when using a non-English UI culture.

    8.2.42
  • E-commerce - Canceling the main currency recalculation wasn't possible

    When changing the main currency with enabled recalculation of prices, exchange rates or other e-commerce objects, the system displays a confirmation dialog box. The 'Cancel' button in this dialog confirmed the recalculation instead of canceling it.

    8.2.42
  • Authentication - Handling of special characters in the 'Trusted certificate thumbprint' setting

    The 'Trusted certificate thumbprint' setting used when configuring claims-based authentication didn't correctly handle special types of input, such as whitespace or non-printing characters. This could lead to untrusted certificate errors if such characters were copied into the setting along with the thumbprint.

    8.2.42
  • UniGrid - XML configuration file not loaded when using a non-default storage provider

    The UniGrid didn't use the CMS.IO API when loading the XML configuration file. As a result, UniGrid components failed to load their configuration if the specified file was mapped to a non-default location using a storage provider.

    8.2.41
  • Portal engine - Widget zones not working in conditional layouts in certain cases

    Widget zones did not work in conditional layouts that were used on multiple page levels. Widget properties did not open.

    8.2.41
  • Macros - LoremIpsum macro method not working with an integer parameter

    The 'LoremIpsum' macro method didn't work when called with an integer type parameter. For example: 'LoremIpsum(100)'

    8.2.41
  • Localization - Localized payment method names displayed incorrectly

    The 'Payment form' web part displayed the names of payment methods incorrectly if their display name was localized.

    8.2.41
  • Forums - Forum group web part thread paging didn't work correctly

    The Forum group web part did not page threads correctly when the 'Enable posts paging' property was disabled.

    8.2.41
  • Files - Broken images returned in special cases

    Special sequence of requests with a specified Range HTTP header could result in the application serving incomplete images from the cache.

    8.2.41
  • Email marketing - Improved email sending performance

    Improved the performance of an email marketing fix introduced in the 8.2.40 hotfix.

    8.2.41
  • E-commerce - Customer detail changes weren't saved in the checkout process

    After applying hotfix 8.2.40, changes of a customer's details performed during the checkout process weren't saved if an existing address was used.

    8.2.41
  • Banned IPs - Incorrectly banned IPs on instances with multiple sites

    If a user accessed a site that banned their IP address, the system then incorrectly blocked the user from other sites running on the same instance, even if the IP address was allowed on the given sites. The incorrect ban persisted until the application was restarted.

    8.2.41
  • Email marketing - Duplicate campaign emails generated in rare situations

    If the process of generating campaign emails failed (due to a timeout or an application error), more than one of the same email could be generated into the email queue when the process ran again.

    8.2.40
  • E-commerce - Shopping cart could contain an incorrect price

    The shopping cart price wasn't updated when the billing or shipping addresses were changed in the 'Customer address' web part in certain cases.

    8.2.40
  • E-commerce - Wrong tax classes were assigned to copied products

    When copying products, the department's default tax classes were assigned to the new product instead of assigning the original product's tax classes.

    8.2.40
  • API - LocalizationHelper.GetUniqueResStringKey method exception

    Calling the 'LocalizationHelper.GetUniqueResStringKey' method in custom code could cause an exception with certain combinations of the 'plainText', 'resKeyPrefix' and 'maxKeyLength' parameters.

    8.2.40
  • Users - Invalid sign in and sign out URLs for claims-based authentication

    When using claims-based authentication, the system generated invalid sign in and sign out URLs if the 'Identity provider URL' setting contained query string parameters.

    8.2.39
  • API - Missing customization options for ResourceStringInfoProvider

    When developing a custom 'ResourceStringInfoProvider', it wasn't possible to override the 'GetString' and 'GetStringFromDB' methods using the standard provider customization pattern.

    8.2.39
  • API - Descending order ignored when using the DataQuery API with Distinct()

    When using the DataQuery API (or ObjectQuery/DocumentQuery), calling the 'Distinct' method caused the query to ignore sorting in descending order, for example when combined with the 'OrderByDescending' method.

    8.2.39
  • Web parts - The ‘Edit page link’ web part created incorrect page links in certain cases

    The ‘Edit page link’ web part created incorrect links to pages that contained a comma character ‘,’ in their name. The 'returnUrl' query parameter used by the web part was renamed to 'editUrl' to handle collisions when logon was required before editing a page.

    8.2.38
  • URL rewriting & SEO - WebMethod calls returning 404 errors

    WebMethod calls that accessed the URLs of pages defined in the Kentico content tree returned a 404 error. The issue only occurred when registering custom WebMethods in the code behind of pages.

    8.2.38
  • Pages - Sorting in the ‘Listing’ mode didn’t work correctly in certain scenarios

    Sorting in the ‘Listing’ mode of the Pages application did not work correctly when changing the 'Items per page' value.

    8.2.38
  • Pages - Decimal number values weren’t converted correctly in versioned pages in certain scenarios

    When retrieving versioned pages of a custom page type that contained a ‘Decimal number’ data type field, an application error occurred when converting the decimal value. This happened in culture versions that use decimal commas as a decimal mark.

    8.2.38
  • Installation - Database installations to LocalDB failed

    Database installations to SQL LocalDB failed on systems that had Microsoft SQL Server 2014 or newer installed.

    8.2.38
  • Form engine - Culture-dependent values not stored correctly for fields in certain cases

    When saving a form field that had a macro inserted into its default value, the system didn't store the field's value in the correct culture format. This could lead to incorrect behavior when working with culture-dependent values, such as dates and decimal numbers.

    8.2.38
  • E-commerce - Deleting a product's culture version also deleted the SKU

    When one culture version of a product page was deleted, the product's SKU object was also deleted leaving the other culture versions without the SKU.

    8.2.38
  • E-commerce - Shopping cart could contain an incorrect price

    The shopping cart price wasn't updated when the billing or shipping addresses were changed in the 'Checkout process' web part.

    8.2.38
  • Web parts & controls - SQL error when using table aliases in the Columns property

    When using a web part or control with a custom query data source, the generated query was invalid if a table alias prefix was used for a value in the 'Columns' property together with brackets: "TableAlias.[Column]". The invalid query then caused an error when the control or web part loaded its data.

    8.2.37
  • Web analytics - Page views not logged in Web analytics

    Web analytics did not log page views on Kentico installations with the Ultimate license. This issue was introduced in the 8.2.13 hotfix.

    8.2.37
  • Staging - Page selection not working in the Staging application for large content trees

    The 'Pages' tab of the 'Staging' application didn't work correctly after clicking the 'click here for more...' option in the page tree. This problem could occur on sites with a very large number of pages on a single level of the tree.

    8.2.37
  • Pages - Page-level permissions weren't copied correctly in certain scenarios

    When copying pages with the 'Copy page permissions' setting enabled, page-level permissions inherited from parent nodes weren't transferred correctly to the new page in certain cases.

    8.2.37
  • Microsoft Azure - Unnecessary requests to external cloud storages

    The system was making unnecessary requests to folders located on an external cloud storage. These requests ended with error 404, which was handled internally. Reducing the number of requests improved the performance of the system.

    8.2.37
  • E-mail engine - Duplicate emals sent in a web farm environment

    When sending emails in a web farm environment, servers processed emails that were already being sent out by another server under certain circumstances. This could result in duplicate emails being sent to the target SMTP server.

    8.2.37
  • API - UserCustomData.Remove method not working

    When using the API to manage custom data for users, calling the 'Remove' method for the 'UserCustomData' property of UserInfo objects didn't correctly remove values from the custom data container.

    8.2.37
  • Caching - Caching files on external cloud storage

    If a folder doesn't exist on the local file storage (it exists only on the external storage) and you wanted to cache the folder with a cache dependency on changes in a file inside of the folder, the system threw an exception. The exception was fixed, however note that automatic clearing of server-side file cache does not work for files in external storage.

    8.2.37
  • Pages - Moving pages in a non-default culture resulted in an incorrect page ordering

    Moving pages in a non-default culture resulted in an incorrect page ordering when the 'New page order' setting was set to 'Alphabetical'.

    8.2.36
  • Email marketing - Cloning an email campaign cloned the logged tracking statistics

    Email campaigns were incorrectly cloned together with their clicked link and opened email statistics.

    8.2.36
  • AB testing - A/B test tracking didn't work correctly in certain scenarios

    The 'Visitors' and 'Conversions' A/B test statistics were not updated correctly when a visitor arrived on the tested page via a page alias.

    8.2.36
  • Pages - The 'FilterDuplicates' DocumentQuery method didn't work correctly

    When the 'FilterDuplicates' method was used for DocumentQuery parametrization and the result set contained several culture versions of pages, all culture versions of pages were incorrectly filtered out together with duplicate linked pages.

    8.2.35
  • Web parts - Couldn't set the 'SelectOnlyPublished' property in code for certain web parts

    Setting the 'SelectOnlyPublished' property value in the code file of the 'Breadcrumbs', 'CSS list menu', 'Tree view', 'SQL search dialog with results', 'Paged text', 'Grid', 'Datalist', 'Universal page viewer', 'XSLT viewer', and 'Image gallery' web parts didn't work correctly.

    8.2.34
  • Security - Redirect validation failed for web parts

    The validation process used by web parts to protect against unvalidated redirects didn't work correc