Umbraco
Book a discovery call
Book a discovery call
Umbraco

Security Patch for your site is now available

We recommend you fix this issue ASAP

Bjarke Berg
Written by Bjarke Berg

A medium-severity security issue has been identified in Umbraco 9 and 10. To address this we have released patches for both versions. We advise you to update your sites as soon as possible. All sites with Unattended Upgrades enabled are not affected including Umbraco Cloud sites. Below you will find details on the issue, what sites are affected, and how to ensure your sites are protected.

If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.

Who’s affected?

Versions affected: Umbraco 9.0.0-9.5.3 and 10.0.0-10.1.0

All sites with Unattended Upgrades enabled are not affected including Umbraco Cloud sites.

All sites running Umbraco 7 or 8 are not affected

Impact

This vulnerability is only exposed when you're redirected to the AuthorizeUpgrade page (when the upgrade screen/wizard is showing). In this case, unauthorized users can get access to the backoffice with admin permissions. 

While the impact is high (unauthorized user access), the circumstances where this can take place are rare (low risk) and as a consequence, the vulnerability has been categorized as a medium-severity issue. 

How to fix the vulnerability

Umbraco Cloud (no action required)

Umbraco Cloud sites are not exposed to the vulnerability and no action is required. Unattended Upgrades are enabled on Umbraco Cloud sites which means a site will not encounter the upgrade state mentioned above. 

The patches will be rolled out to Umbraco Cloud today simply to ensure all sites are running the latest version.

Manual Upgrade:

Patch your Umbraco 9 or 10 site to the latest version. Both versions are available on NuGet:

Workaround 

If you for some reason cannot apply the latest patch. A temporary workaround is to enable Unattended Upgrades for your site. This means the site will not encounter the upgrade state and the vulnerability will not be exploitable. Once the patch has been applied it is safe to disable Unattended Upgrades again. 

See the Unattended Upgrade documentation for more details on this.

What we know about the vulnerability

The issue was discovered during internal testing. There have been no reports indicating that the vulnerability was discovered and exploited by anyone. 

Credit

Identified and fixed by the Umbraco HQ development team.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.

Related story

Bjarke Berg
Written by Bjarke Berg

Security advisory: Security patch for Umbraco CMS ready on September 6 at 08 AM UTC

We have identified a medium-severity security issue in Umbraco CMS. This vulnerability could lead to unauthorized access to the backoffice in specific circumstances. We have a patch ready to address the issue which will be released on Tuesday, September 6, 2022, at 08 AM UTC. The security issue is not publicly known. This blog post is a heads-up as we advise you to be ready to apply this patch release. No action is required for Umbraco Cloud sites as they are not affected.