Thursday, September 20, 2018

Security advisory: Patch for your site is now available

Who is affected?

As we mentioned in the Security Advisory published on September 14th, the following versions of Umbraco are affected:

  • 4.11.9 - 4.11.10
  • 6.0.6 - 6.2.6
  • 7.0.0 - 7.12.2

The vulnerability exists in an external library to Umbraco called Client Dependency Framework (CDF), versions - 1.9.6.  In general it is recommended that you use the very latest version of CDF so that you know that you're secure and benefit from the latest bug fixes and performance improvements.

As advised in last week’s Security Advisory, we highly recommend you make time to fix this issue. If you are not technically responsible for your site, please make sure to reach out to the responsible person/agency so they can take the necessary action.


This advisory is the result of a private penetration test, we have no indication or reports that the vulnerability is currently being exploited in the wild.

The vulnerability is exploitable by any unauthenticated user requesting resources from your public website, a vulnerability of type “Local File Inclusion”. The resources that can be requested includes configuration files and other sensitive internal files not intended for public access.


How to update?

You can either do a manual update, update via NuGet or upgrade to newest version of Umbraco. Umbraco Cloud users will automatically be upgraded.

Manual Update

You’ll need to copy the appropriate new version (1.9.7) below of CDF into the bin folder of your website.

This version is fully backwards compatible with previous versions so you don't need to worry about breaking anything.

To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade  (make sure to make a backup first).

Updated with NuGet

Run the following command in your Package Manager Console in Visual Studio:

Update-Package ClientDependency -Version 1.9.7

Alternatively you can use the NuGet UI to search for the ClientDependency package and update it to the latest version.

To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade.

New versions of Umbraco

We are shipping new versions of Umbraco (7.10.5, 7.11.2, and 7.12.3) with the vulnerability fixed for new installs of Umbraco or upgrades from 7.10+. They will be ready for download at around 07:30 UTC. 

If you upgrade, please make sure to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade to avoid exposure of private information in cached files.


If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

We want to thank Element78 and ProCheckUp for responsibly disclosing this issue with us.

We apologize for the inconvenience of this security issue and assure you that we continue to handle security issues with the appropriate attention and urgency.


Related Story

Security advisory: Security patch ready on the 20th of September

A newly found, but not publicly known, security issue could lead to disclosure of private information in Umbraco sites running Umbraco version 4.11.9 and higher. We have a fix ready, which we will release Thursday the 20th of September at 07:00 UTC. This blog post is a heads-up as we highly advise you to be ready for this patch release. No action is required for Umbraco Cloud sites as they will be patched automatically on the 20th of September.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox