Security Advisory, August 20, 2024: Security Patch for Umbraco CMS is now available
We recommend you upgrade to the latest patch
Who’s affected?
Versions affected: Umbraco 14.0.0-14.1.1
How to fix the vulnerability
A patch has been made available for the latest minor version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.
Instructions on patch availability and how to upgrade can be found in the release notes:
The fix will also be included in 14.2.0 which is scheduled for release next Thursday.
Workaround
No known workarounds, so applying the patch is the best way to avoid being exposed to the vulnerability.
Automatic fix on Umbraco Cloud
All Umbraco Cloud sites running the latest minor of Umbraco 14 are patched via the automated patch feature. The security patch will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.
If a project is not running the latest minor version, the patch can be applied using the minor upgrade feature.
What we know about the vulnerability
Please refer to the following security advisories:
There has been no indication that the vulnerability was discovered or exploited prior to the report.
Further details and explanations
We will publish additional information on the security advisories, and how the issues were addressed, on September 17, 2024. This should provide reasonable time to plan and apply patches.
Credit
We would like to thank Pasi Keski-Korsu and the team from Prove Expertise Oy for the responsible disclosure of the issues and help in verifying the fix.
Any questions?
If you have any questions or comments about this advisory, make sure to get in touch with us, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.