Umbraco

Security Advisory: Security patch for Umbraco CMS ready on July 13 at 08 AM UTC

This is a heads-up so you can prepare for action

Bjarke Berg
Written by Bjarke Berg

We have identified a high-severity security issue in Umbraco CMS. This vulnerability could lead to gaining admin-level permissions in specific circumstances. We have a patch ready to address the issue which will be released on Thursday, July 13, 2023, at 08 AM UTC. The security issue is not publicly known. This blog post is a heads-up as we advise you to apply the patch after release. No action is required for Umbraco Cloud sites as they are not affected.

Important: The security advisory has been published and patches are now available. Please refer to the Security Advisory blog post for more information on patch availability and workarounds. 

Who’s affected?

Versions affected: Umbraco 10.0.0-10.6.0, 11.0.0-11.4.1. and Umbraco 12.0.0

Umbraco 9 is likely also subject to the vulnerability but is EOL and will not receive a patch. We recommend upgrading to a supported major version.

Versions prior to Umbraco 9 are not affected.

All sites on Umbraco Cloud are not affected. 

How do I prepare?

As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project. 

This is a security patch and we advise you to put aside resources to upgrade to the latest patch version as soon as possible after the release.

Note that the patches will be made available for the latest minor versions of Umbraco 10, 11, and 12. Upgrading to the latest available minor version can be done prior to the patch release which means you are optimally prepared for the patch upgrade.

How to upgrade?

If you’re using Umbraco versions 10.6, 11.4, or 12.0, you will be able to upgrade to a new patch version of these releases the way you would normally upgrade. 

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.

Where do I find the necessary information on July 13, 2023?

On July 13 at 08 AM UTC (find the time in your timezone here), a blog post will be released here on the Umbraco blog with a detailed description of how to fix this security issue.

The blog post will contain a link to the security advisory on GitHub. We will monitor and answer any technical questions you might have related to this. 

What about sites on Umbraco Cloud?

Umbraco Cloud sites are not affected by this issue. The patch versions will automatically be rolled out to all Umbraco Cloud projects on Tuesday, July 18, 2023. This is just to ensure all Cloud sites are running the latest version. 

Severity details:

Due to the severity of this issue, we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited.

The reason for the high-severity classification is due to the impact of a successful exploit. In our estimation, sites are only vulnerable in very specific circumstances, and the complexity of the exploit is high, so running sites are not exceedingly vulnerable even after the advisory is public. 

The next update on this issue will be published on the Umbraco blog on July 13 at 8 AM UTC, and a security advisory will be published on GitHub with added details. 

Further details and explanation of the vulnerability will be added to the Security Advisory one month after the patch release, August 14, giving reasonable time to plan and apply patches. 

More Information

If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.