Security Advisory: Forms version 8

Written by Sebastiaan Janssen

A bug in Umbraco Forms version 8, which could possibly leak data, has been fixed. Patch releases are ready today and are automatically being added to Umbraco Cloud sites.

Who is impacted

The following versions of Umbraco Forms are affected:

8.0.0
8.1.0-8.1.3
8.2.0
8.3.0-8.3.1

In the latest versions of Forms, this problem has been fixed.

Details about the problem

The discovered data leak appears when using the email workflows built into Umbraco Forms. When those workflows are set up to send a confirmation email to the person filling out a form, it is possible, under special circumstances, that they get an email with the form data that someone else has entered.

Circumstances

Specifically, this can happen when two people submit a Form simultaneously.

Here is what we know from the reported issue:

There has been a single report of this problem occurring for a customer and to the best of our knowledge this is not a wide-spread problem
It happened for email workflows that are configured to send a confirmation message to the form submitter
It happened on a server with high CPU usage / a lot of traffic
This issue can only be reproduced locally by artificially throttling a test website, not from normal usage
If you are not using workflows that send data back to the original person who is submitting a form then this doesn’t apply to you
If you are using workflows that send data somewhere that is out of your control and can be read by third parties, you should update to the latest Forms release

However, even though this is not a wide-spread issue, we still recommend you set aside resources to upgrade your site as soon as possible, as it could potentially lead to data leak.

Technical resolution

The bug has been identified to relate to the usage of singletons for workflows. The usages have been updated to use unique instantiation of workflows.

Additionally, we reviewed the code that runs for any workflow in Forms and made sure that the problem couldn’t be triggered any more. The customer who originally reported the bug also could no longer reproduce the problem after receiving that update from us.

Automatic fix on Umbraco Cloud

All projects on Umbraco Cloud running Umbraco Form version 8 will be automatically patched today (March 23rd, 2020 between 7 AM - 9 PM UTC).

The patch release for Cloud site only includes the fix for this specific issue and no other fixes or features.

Updating manually outside of Umbraco Cloud

There are several ways to update your sites outside of Cloud depending on what is appropriate for your setup. You can update manually, through NuGet or by updating to the latest minor version of Umbraco Forms.

This means:

If you’re using Umbraco Forms 8.0.0, upgrade to Forms version 8.0.1
If you’re using Umbraco Forms 8.1.0-8.1.3, upgrade to Forms version 8.1.4
If you’re using Umbraco Forms 8.2.0, upgrade to Forms version 8.2.1
If you’re using Umbraco Forms 8.3.0-8.3.1, upgrade to Forms version 8.3.2

These new Umbraco Forms versions can be downloaded from the Forms package page on Our Umbraco.

Manual update

The Forms page on Our Umbraco lists the available patch releases. You can use the UmbracoForms.Files.x.y.z.zip files to get all the files that need updating and copy them into your site.