Umbraco
Book a discovery call
Book a discovery call
Umbraco

Details of security issue in 4.10

On Nov 14, 2012 we discovered a security flaw in the Umbraco 4.10.0 codebase which we released a patch for on the same day.

The security issue relates to a fix that was addressed in 4.10.0 regarding starter kit installation in which the application domain wasn't restarted properly during install which was causing unexpected results.  The fix applied uses a new REST service to install the starter kit packges but unfortunately this REST service wasn't properly secured and thus exposes this REST service as a public API. This meant that it may be possible for someone to remotely install a package or restart your application domain. 

We strongly urge everybody with a 4.10.0 site to upgrade to 4.10.1 as soon as possible. Versions OTHER than 4.10.0 are NOT affected at all, so you won't need to take any action for those. Please rest assured that this fix has been merged into the 4.11.0 branch so it will definitely not be an issue moving forward.

Again, our sincere apologies for the incovenience!

  • Published: November 14, 2012
  • Read time: 1 min. read
  • Category: Security