Security patches for Umbraco 10, 11, and 12 now available
We recommend you upgrade to the latest version
Who’s affected?
Versions affected: Umbraco 10.0.0-10.6.0, 11.0.0-11.4.1. and Umbraco 12.0.0
- All sites on Umbraco Cloud are not affected.
- All sites using the Unattended Install feature are not subject to the vulnerability.
- Umbraco 9 is likely also subject to the vulnerability but is EOL and will not receive a patch. We recommend upgrading to a supported major version.
- Versions prior to Umbraco 9 are not affected.
How to fix the vulnerability
Patches have been made available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.
Instructions on patch availability and how to upgrade can be found in the release notes:
Workaround
Should you for some reason be prevented from applying the patch within a reasonable timeframe, there are workarounds that will eliminate the vulnerability, or limit the exposure, without applying the patch.
- Enabling the Unattended Install feature will mean the vulnerability is not exploitable.
- Enabling IP restrictions to */install/* and */umbraco/* will limit the exposure to allowed IP addresses.
Patch availability on Umbraco Cloud
Umbraco Cloud sites are not affected by this issue. The patch versions will automatically be rolled out to all Umbraco Cloud projects on Tuesday, July 18, 2023. This is just to ensure all Cloud sites are running the latest version.
What we know about the vulnerability
Please refer to the Security Advisory for details and CVE.
There have been no reports indicating that the vulnerability was discovered and exploited by anyone prior to the report.
Impact
Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level access and permissions to the backoffice.
Due to the impact of a successful exploit, the vulnerability has been classified as high severity. In our estimation, sites are only vulnerable in very specific circumstances, and the complexity of the exploit is high, so running sites are not exceedingly vulnerable even after this advisory is public.
Further details and explanations
We will publish additional information on the vulnerability, and how it was addressed, to the Security Advisory, on August 14, 2023, giving reasonable time to plan and apply patches.
Credit
We’d like to thank Bogdan Kosarevskyi from UKAD for reporting the issue and responsible disclosure of details regarding the vulnerability. Further, thanks to Andrey Karandashov and Dmytro Minaev, also from UKAD, for their help in testing the patch and ensuring the vulnerability is addressed.
Any questions?
If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisory. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.