Security Advisory, May 21, 2024: Security Patch is now available
We recommend you upgrade to the latest patch
Who’s affected?
Versions affected: Umbraco 8.18.5-8.18.13, 10.5.0-10.8.5, 12.0.0-12.3.9 , 13.0.0-13.3.0
- Umbraco 11 is likely also subject to the vulnerability but is EOL and will not receive a patch. We recommend upgrading to a supported major version.
- Umbraco Cloud projects are automatically patched.
- Versions prior to Umbraco 8.18.5 are not affected.
How to fix the vulnerability
Patches have been made available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.
Instructions on patch availability and how to upgrade can be found in the release notes:
Workaround
No known workarounds, so applying the patch is the best way to avoid being exposed to the vulnerability.
Patch availability on Umbraco Cloud
All Umbraco Cloud sites running the latest minor of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.
If a project is not running the latest minor version (8.18.x, 10.8.x, 12.3, or 13.3.x), the patch can be applied using the minor upgrade feature.
We’ve recently added the option to get Automatic Minor Upgrades on Umbraco Cloud. All new Cloud projects will have this option turned on by default. We highly encourage you to turn on this feature for existing projects, to always be on the latest and safest minor and patch version.
What we know about the vulnerability
Please refer to the Security Advisory for details and CVE.
There have been no reports indicating that the vulnerability was discovered and exploited by anyone prior to the report.
Impact
Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerability is exposed.
Due to the impact of a successful exploit, the vulnerability has been classified as medium severity.
Further details and explanations
We will publish additional information on the vulnerability, and how it was addressed, to the Security Advisory, on June 21, 2024, giving reasonable time to plan and apply patches.
Credit
We’d like to thank Hesham Mahmoud for reporting the issue, responsible disclosure of details regarding the vulnerability, and reviewing the solution.
Any questions?
If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisory. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.
Get notified about Security Advisories
If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.