Update 2023-03-28: Additional vulnerability has been discovered in connection with the patches released on March 21, 2023. The issue has been identified and addressed, and as a consequence, new patches are now available for Umbraco 8, 10, and 11. All other information in the advisory is still valid.
If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.
Who’s affected? (Updated 2023-03-28)
Versions affected: Umbraco 8.2+ (8.2.0-8.18.6, 10.0.0-10.4.1, and 11.0.0-11.2.1)
Versions that are no longer supported, including Umbraco 9, have not been tested and will not be patched. We recommend sites still running Umbraco 9 to upgrade to a patched version of Umbraco 10.
All sites running Umbraco 7 are not affected.
This vulnerability can only be exploited when you are logged in and have access to the Umbraco backoffice. The vulnerability makes it possible for Users without access to Settings to expose files.
While the impact is medium severity (access to files), the circumstances where this can take place are low risk and as a consequence, the vulnerability has been categorized as a medium-severity issue.
How to fix the vulnerability
Patches have been made available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied.
All Umbraco Cloud sites running the latest minor are patched via the automated patch feature. The patches will be rolled out to Umbraco Cloud today to ensure all sites are running the latest version.
If a project is not running the latest minor version (8.18.x, 10.4.x, or 11.2.x), the patch can be applied using the minor upgrade feature.
Manual Upgrade (Updated 2023-03-28 with new patch links):
Instructions on patch availability and how to upgrade can be found in the release notes:
What we know about the vulnerability
There have been no reports indicating that the vulnerability was discovered and exploited by anyone prior to the report.
If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.
If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.