Umbraco

Security Advisory, October 22, 2024 - Patches for Umbraco CMS are now available

We recommend you upgrade to the latest patch

Bjarke Berg
Written by Bjarke Berg

We have identified four, unrelated security vulnerabilities in Umbraco CMS. These vulnerabilities may allow for potential code execution and enable malicious users to exploit cookies. Today, we have released patches for all affected versions and strongly recommend upgrading to the latest patch. Projects hosted on Umbraco Cloud will receive the fix automatically. Please note that these security issues have not been publicly disclosed.

Versions affected

  • Umbraco 8.0.0 - 8.18.14 
    • Umbraco 8 is affected by 2 medium-severity issues.
  • Umbraco 10.0.0 - 10.8.6
    • Umbraco 10 is affected by 3 medium-severity issues. 
  • Umbraco 13.0.0 - 13.5.1 
    • Umbraco 13 is affected by 3 medium-severity issues
  • Umbraco 14.0.0 - 14.3.0
    • Umbraco 14 is affected by 1 medium-severity issue.

End-of-life versions that are no longer supported may face increased risks as they do not receive critical updates. We recommend upgrading to a supported major version to ensure ongoing protection. Customers with Umbraco 7 Extended Long-term Support (XLTS) have been directly informed of any necessary actions to maintain their projects.

How to fix the vulnerability

Patches are available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes:

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor version of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed. 

If a project is not running the latest minor version (8.18.x, 10.8.x, or 13.5.x), the patch can be applied using the minor upgrade feature. Please note that we’ve recently added the option to get automatic minor upgrades on Umbraco Cloud. All new Cloud projects will have this option turned on by default. For existing projects, we highly encourage you to turn on this feature so that your projects run the latest and safest minor and patch versions.

You can opt-in to enable Automatic Minor Upgrades directly from Umbraco Cloud on the new Automatic Upgrades page.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

What we know about the vulnerability

 

For more details please refer to the security advisories:

 

No indications that the vulnerabilities were discovered or exploited prior to the report. Further details will be published on the Security Advisories at a later date.

Impact

The vulnerabilities all require authenticated access to the backoffice, meaning an attacker must first log in to the backoffice to exploit them. Additionally, the complexity of executing a successful attack is high. These factors have contributed to a medium severity rating (moderate). Nevertheless, we recommend  updating to the latest patched version to ensure optimal security

Credit

We'd like to thank Tarik Essadki and Duong Phamm for reporting issues and responsible disclosure of details regarding the vulnerability.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.