Security advisory: Security patch ready on the 20th of September

Who is affected?

Sites running Umbraco version:

• 4.11.9 - 4.11.10
• 6.0.6 - 6.2.6
• 7.0.0 - 7.12.2

These sites should have the patch implemented when it is released next week.

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.

How to prepare?

Because we are looking at a patch upgrade or file replacements, we expect the fix to be rather straightforward and to only require minimal time.

As this is a security patch we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly. 

If you’re using Umbraco versions 7.10, 7.11 or 7.12 then you’ll be able to upgrade to a new patch version of these releases the way you would normally upgrade. This will fix the vulnerability.

If you’re using a version lower than 7.10, get ready to manually deploy changes to your site.

How to upgrade on the 20th of September?

On the 20th of September at 07:00 UTC (09:00 CEST, 07:00 GMT, 03:00 CST, 17:00 ACT), a post will be released here on the Umbraco blog with a detailed description on how to fix this security issue for the various sites affected.  

We will create a dedicated forum post on Our Umbraco that we will link to in the blog post published next week.  

Umbraco Cloud: As mentioned in the intro, all Umbraco Cloud sites will automatically be patched on the 20th of September and do not need to take any action.   

Severity details:

Due to the severity of this issue, we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.

The next update on this issue will be published on the Umbraco blog on Thursday the 20th of September at 07:00 UTC.