Wednesday, January 27, 2016

Umbraco Forms Security Notice

An important security issue has been reported in Umbraco Forms. The issue has been immediately patched and a new version of Forms has been made available for download today.

We highly recommend that you upgrade all installations running Umbraco Forms. Please note, this issue does not affect Contour, only Umbraco Forms.

How to upgrade Umbraco Forms:

Log into the Umbraco site, go to the Forms section and you will see a message on the dashboard that reads "A new version of Umbraco Forms is available". Click the upgrade button and your website will be updated in approximately 10-20 seconds.

Developers can download the latest version of Umbraco Forms from Nuget.

Projects running on Umbraco as a Service have already been patched automatically and require no further action. When you log into your UaaS portal you will see a list of fully updated projects in the notifications in the top-right corner.

If you do not currently use Umbraco Forms to accept form submissions then your site is not at risk. If you plan to accept form submissions through Umbraco Forms in the future then you will need to update Umbraco Forms to at least version 4.1.5.

Issue details:

- All versions of Umbraco Forms are affected by this issue. This issue does not affect Contour.
- Under certain circumstances it enables unauthenticated attackers to see previously submitted form data.
- We highly recommend you upgrade your installations today.

If you have any follow-up questions, please make sure to send them as a support request through your profile page.

Thank you for your understanding and we apologise for any inconvenience.

Umbraco HQ

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox