If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.
Versions affected: Umbraco 9.0.0-9.5.3 and 10.0.0-10.1.0
All sites with Unattended Upgrades enabled are not affected including Umbraco Cloud sites.
All sites running Umbraco 7 or 8 are not affected.
This vulnerability is only exposed when you're redirected to the AuthorizeUpgrade page (when the upgrade screen/wizard is showing). In this case, unauthorized users can get access to the backoffice with admin permissions.
While the impact is high (unauthorized user access), the circumstances where this can take place are rare (low risk) and as a consequence, the vulnerability has been categorized as a medium-severity issue.
How to fix the vulnerability
Umbraco Cloud (no action required)
Umbraco Cloud sites are not exposed to the vulnerability and no action is required. Unattended Upgrades are enabled on Umbraco Cloud sites which means a site will not encounter the upgrade state mentioned above.
The patches will be rolled out to Umbraco Cloud today simply to ensure all sites are running the latest version.
Patch your Umbraco 9 or 10 site to the latest version. Both versions are available on NuGet:
If you for some reason cannot apply the latest patch. A temporary workaround is to enable Unattended Upgrades for your site. This means the site will not encounter the upgrade state and the vulnerability will not be exploitable. Once the patch has been applied it is safe to disable Unattended Upgrades again.
See the Unattended Upgrade documentation for more details on this.
What we know about the vulnerability
The issue was discovered during internal testing. There have been no reports indicating that the vulnerability was discovered and exploited by anyone.
Identified and fixed by the Umbraco HQ development team.
If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security. Here you can also find information on how we handle security-related issues.
If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.