Book discovery call
Book discovery call
Menu
Security Advisory Blog Medium Severity Header

Security Advisory, May 21, 2024: Security Patch is now available

We recommend you upgrade to the latest patch

Bjarke Mikkelsen Berg
Written by Bjarke Berg

We have identified a medium-severity security issue in Umbraco CMS. This vulnerability can potentially expose users to phishing attacks. We have released patches for all supported versions and advise you to upgrade to the latest patch. The security issue is not publicly known. Umbraco Cloud sites are automatically patched.

Who’s affected?

Versions affected: Umbraco 8.18.5-8.18.13, 10.5.0-10.8.5, 12.0.0-12.3.9 , 13.0.0-13.3.0

  • Umbraco 11 is likely also subject to the vulnerability but is EOL and will not receive a patch. We recommend upgrading to a supported major version.
  • Umbraco Cloud projects are automatically patched.
  • Versions prior to Umbraco 8.18.5 are not affected.

How to fix the vulnerability

Patches have been made available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project. 

Instructions on patch availability and how to upgrade can be found in the release notes:

Workaround

No known workarounds, so applying the patch is the best way to avoid being exposed to the vulnerability.

Patch availability on Umbraco Cloud

All Umbraco Cloud sites running the latest minor of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed. 

If a project is not running the latest minor version (8.18.x, 10.8.x, 12.3, or 13.3.x), the patch can be applied using the minor upgrade feature. 

We’ve recently added the option to get Automatic Minor Upgrades on Umbraco Cloud. All new Cloud projects will have this option turned on by default. We highly encourage you to turn on this feature for existing projects, to always be on the latest and safest minor and patch version.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

What we know about the vulnerability

Please refer to the Security Advisory for details and CVE.

There have been no reports indicating that the vulnerability was discovered and exploited by anyone prior to the report.

Impact

Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerability is exposed.

Due to the impact of a successful exploit, the vulnerability has been classified as medium severity.

Further details and explanations

We will publish additional information on the vulnerability, and how it was addressed, to the Security Advisory, on June 21, 2024, giving reasonable time to plan and apply patches.

Credit

We’d like to thank Hesham Mahmoud for reporting the issue, responsible disclosure of details regarding the vulnerability, and reviewing the solution.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisory. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

Get notified about Security Advisories

If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.