Who’s affected?
Versions affected:
- Umbraco 8.0.0-8.18.9 (version 8 is affected by 1 medium-severity issue. Upgrading to the latest patch will fix this as well as some low-severity issues)
- Umbraco 10.0.0-10.8.0 (version 10 is affected by 2 medium-severity issues. Upgrading to the latest patch will fix both of these and a low-severity issue)
- Umbraco 12.0.0-12.3.3. (version 12 is affected by 2 medium-severity issues. Upgrading to the latest patch will fix both of these and a low-severity issue))
Umbraco 7, 9, and 11 are likely also subject to the vulnerabilities but are all end-of-life versions and will not receive a patch. We recommend upgrading to a supported major version.
Umbraco 7 XLTS customers have been informed directly via email of their needed action.
How to fix the vulnerability
Patches are available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.
Instructions on patch availability and how to upgrade can be found in the release notes:
Update 13/12/2023:
Due to a discovered non-security-related regression issue, a new patch is ready. We encourage you to update to the latest patch:
All Umbraco Cloud projects have automatically been updated to this new patch.
Umbraco 7 XLTS versions are not affected by the regression issue.
Automatic fix on Umbraco Cloud
All Umbraco Cloud sites running the latest minor of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.
If a project is not running the latest minor version (8.18.x, 10.4.x, or 12.3.x), the patch can be applied using the minor upgrade feature. Please note that we’ve recently added the option to get automatic minor upgrades on Umbraco Cloud. All new Cloud projects will have this option turned on by default, but for existing projects, we highly encourage you to turn on this function for your projects to always be on the latest and safest minor and patch version.
You can opt-in to enable Automatic Minor Upgrades directly from Umbraco Cloud on the new Automatic Upgrades page.
What we know about the vulnerability
Both vulnerabilities require access to the backoffice before they can be exploited. Further details will be revealed on the Security Advisories after some time.
Credit
We’d like to thank Jeroen Koppenol, Raphael Silva, Emma Garland, GiantAtPlay and roie-shmuel for reporting the issues and responsible disclosure of details regarding the vulnerability.
Any questions?
If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.