16683508582 2C86a1dcf0 H (13)

Umbraco Forms Security Notice

Written by:

A routine security audit conducted by Umbraco’s third party security analyst, Dionach has identified a vulnerability in our add-on product Umbraco Forms

October 2016: A routine security audit conducted by Umbraco’s third party security analyst, Dionach has identified a vulnerability in our add-on product Umbraco Forms. This issue has been immediately patched and the latest version of Forms is available for download today. If you do not currently use Umbraco Forms to accept form submissions, then your site is not at risk. If you are running Umbraco as a Service (Umbraco Cloud), you will have been patched automatically and no update is required. We recommend that you update all installations running Umbraco Forms. Please note, this affects all versions of Umbraco Forms but does not affect Contour.

Issue details

Under certain circumstances the issue could allow people logged into the Umbraco Back Office to view unauthorised files by guessing file paths and filenames.

Severity

We estimate that for the majority of sites, the likelihood of the issue being exploited is low because users need to have authorised access to the Umbraco Back Office. With properly configured servers and the correct file permissions applied, gaining access to files outside of the website root is unlikely.

How to update Umbraco Forms

You can update your installation in various number of ways, such as an Umbraco package install, Nuget package or manual zip file as the fix is found in the DLLs.

Depending on your current version of Forms installed 4.1.5, 4.2.1 or 4.3.2 there is an associated patch release version as follows:

4.1.5 → 4.1.6
https://our.umbraco.org/projects/developer-tools/umbraco-forms/ 
https://www.nuget.org/packages/UmbracoForms/4.1.6

4.2.1 → 4.2.2
https://our.umbraco.org/projects/developer-tools/umbraco-forms/ 
https://www.nuget.org/packages/UmbracoForms/4.2.2

4.3.2 → 4.3.3
https://our.umbraco.org/projects/developer-tools/umbraco-forms/
https://www.nuget.org/packages/UmbracoForms/4.3.3

If you plan to accept form submissions through Umbraco Forms in the future, then be sure to use the latest version of Umbraco Forms to at least version 4.3.3.

Umbraco’s third party security analyst, Dionach, will be releasing a public security bulletin on this discovery in 2 weeks time.

We apologies for any inconvenience and if you have any follow-up questions, please let us know by sending us a support request through your Umbraco.com profile page

 

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox