Email Hero 780X405px (3)

Security Advisory: Forms version 8

Patch releases are ready

Sebastiaan Author
Written by Sebastiaan Janssen

A bug in Umbraco Forms version 8, which could possibly leak data, has been fixed. Patch releases are ready today and are automatically being added to Umbraco Cloud sites.

Who is impacted

The following versions of Umbraco Forms are affected:

  • 8.0.0
  • 8.1.0-8.1.3
  • 8.2.0
  • 8.3.0-8.3.1

In the latest versions of Forms, this problem has been fixed. 

Details about the problem

The discovered data leak appears when using the email workflows built into Umbraco Forms. When those workflows are set up to send a confirmation email to the person filling out a form, it is possible, under special circumstances, that they get an email with the form data that someone else has entered. 

Circumstances

Specifically, this can happen when two people submit a Form simultaneously. 

Here is what we know from the reported issue:

  • There has been a single report of this problem occurring for a customer and to the best of our knowledge this is not a wide-spread problem
  • It happened for email workflows that are configured to send a confirmation message to the form submitter
  • It happened on a server with high CPU usage / a lot of traffic
  • This issue can only be reproduced locally by artificially throttling a test website, not from normal usage
  • If you are not using workflows that send data back to the original person who is submitting a form then this doesn’t apply to you
  • If you are using workflows that send data somewhere that is out of your control and can be read by third parties, you should update to the latest Forms release

However, even though this is not a wide-spread issue, we still recommend you set aside resources to upgrade your site as soon as possible, as it could potentially lead to data leak.

Technical resolution

The bug has been identified to relate to the usage of singletons for workflows. The usages have been updated to use unique instantiation of workflows. 

Additionally, we reviewed the code that runs for any workflow in Forms and made sure that the problem couldn’t be triggered any more. The customer who originally reported the bug also could no longer reproduce the problem after receiving that update from us.

Automatic fix on Umbraco Cloud

All projects on Umbraco Cloud running Umbraco Form version 8 will be automatically patched today (March 23rd, 2020 between 7 AM - 9 PM UTC). 

The patch release for Cloud site only includes the fix for this specific issue and no other fixes or features.

Updating manually outside of Umbraco Cloud

There are several ways to update your sites outside of Cloud depending on what is appropriate for your setup. You can update manually, through NuGet or by updating to the latest minor version of Umbraco Forms.

This means:

  • If you’re using Umbraco Forms 8.0.0, upgrade to Forms version 8.0.1
  • If you’re using Umbraco Forms 8.1.0-8.1.3, upgrade to Forms version 8.1.4
  • If you’re using Umbraco Forms 8.2.0, upgrade to Forms version 8.2.1
  • If you’re using Umbraco Forms 8.3.0-8.3.1, upgrade to Forms version 8.3.2

These new Umbraco Forms versions can be downloaded from the Forms package page on Our Umbraco

Manual update

The Forms page on Our Umbraco lists the available patch releases. You can use the UmbracoForms.Files.x.y.z.zip files to get all the files that need updating and copy them into your site.

Update with NuGet

For NuGet installs, you can run the same upgrades as mentioned above:

  • If you’re using Umbraco Forms 8.0.0, upgrade to Forms version 8.0.1
  • If you’re using Umbraco Forms 8.1.0-8.1.3, upgrade to Forms version 8.1.4
  • If you’re using Umbraco Forms 8.2.0, upgrade to Forms version 8.2.1
  • If you’re using Umbraco Forms 8.3.0-8.3.1, upgrade to Forms version 8.3.2

These new Umbraco Forms versions can be downloaded from the Forms package page on Our Umbraco

Questions?

If you have any question regarding this patch, please feel free to contact us at contact@umbraco.com

 

Credit

Thanks to Frans de Jong for investigating and reporting this issue to us.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox