Book discovery call
Book discovery call
Menu
Umbraco logo in white on blue background

Security Patch for your site is now available

We recommend you fix this issue ASAP

Bjarke Mikkelsen Berg
Written by Bjarke Berg

A medium-severity security issue has been identified in Umbraco 9 and 10. To address this we have released patches for both versions. We advise you to update your sites as soon as possible. All sites with Unattended Upgrades enabled are not affected including Umbraco Cloud sites. Below you will find details on the issue, what sites are affected, and how to ensure your sites are protected.

If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.

Who’s affected?

Versions affected: Umbraco 9.0.0-9.5.3 and 10.0.0-10.1.0

All sites with Unattended Upgrades enabled are not affected including Umbraco Cloud sites.

All sites running Umbraco 7 or 8 are not affected

Impact

This vulnerability is only exposed when you're redirected to the AuthorizeUpgrade page (when the upgrade screen/wizard is showing). In this case, unauthorized users can get access to the backoffice with admin permissions. 

While the impact is high (unauthorized user access), the circumstances where this can take place are rare (low risk) and as a consequence, the vulnerability has been categorized as a medium-severity issue. 

How to fix the vulnerability

Umbraco Cloud (no action required)

Umbraco Cloud sites are not exposed to the vulnerability and no action is required. Unattended Upgrades are enabled on Umbraco Cloud sites which means a site will not encounter the upgrade state mentioned above. 

The patches will be rolled out to Umbraco Cloud today simply to ensure all sites are running the latest version.

Manual Upgrade:

Patch your Umbraco 9 or 10 site to the latest version. Both versions are available on NuGet:

Workaround 

If you for some reason cannot apply the latest patch. A temporary workaround is to enable Unattended Upgrades for your site. This means the site will not encounter the upgrade state and the vulnerability will not be exploitable. Once the patch has been applied it is safe to disable Unattended Upgrades again. 

See the Unattended Upgrade documentation for more details on this.

What we know about the vulnerability

The issue was discovered during internal testing. There have been no reports indicating that the vulnerability was discovered and exploited by anyone. 

Credit

Identified and fixed by the Umbraco HQ development team.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.

Related story >

Bjarke Mikkelsen Berg
Written by Bjarke Berg

Security Advisory: Patch ready on September 6 at 08 AM UTC

 A medium-severity security issue has been identified in Umbraco CMS. A fix will be published on September 6. This is a heads-up so you can prepare for action

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask on the community forums.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox