16683508582 2C86a1dcf0 H

Security advisory: Security patch ready on the 20th of September

Authorimg 3348
Written by Jacob Midtgaard-Olesen

A newly found, but not publicly known, security issue could lead to disclosure of private information in Umbraco sites running Umbraco version 4.11.9 and higher. We have a fix ready, which we will release Thursday the 20th of September at 07:00 UTC. This blog post is a heads-up as we highly advise you to be ready for this patch release. No action is required for Umbraco Cloud sites as they will be patched automatically on the 20th of September.

Who is affected?

Sites running Umbraco version:

  • 4.11.9 - 4.11.10
  • 6.0.6 - 6.2.6
  • 7.0.0 - 7.12.2

These sites should have the patch implemented when it is released next week.

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.

 

How to prepare?

Because we are looking at a patch upgrade or file replacements, we expect the fix to be rather straightforward and to only require minimal time.

As this is a security patch we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly. 

If you’re using Umbraco versions 7.10, 7.11 or 7.12 then you’ll be able to upgrade to a new patch version of these releases the way you would normally upgrade. This will fix the vulnerability.

If you’re using a version lower than 7.10, get ready to manually deploy changes to your site.

 

How to upgrade on the 20th of September?

On the 20th of September at 07:00 UTC (09:00 CEST, 07:00 GMT, 03:00 CST, 17:00 ACT), a post will be released here on the Umbraco blog with a detailed description on how to fix this security issue for the various sites affected.  

We will create a dedicated forum post on Our Umbraco that we will link to in the blog post published next week.  

Umbraco Cloud: As mentioned in the intro, all Umbraco Cloud sites will automatically be patched on the 20th of September and do not need to take any action.   

 

Severity details:

Due to the severity of this issue, we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.


The next update on this issue will be published on the Umbraco blog on Thursday the 20th of September at 07:00 UTC.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox