Who is affected?
If your are running Umbraco Forms version 4.4.0 or higher, you are affected. If you are running a version below 4.4.0 or any version of Umbraco Contour you are not affected. We have previously reached out to everyone we know has Forms installed to give an early warning regarding this issue, but to be on the safe side, you should check which version of Forms you are running in all of your websites.
You can check your Forms version by logging in to the Backoffice, click on the Forms section and the Dashboard will show the current version number. (You can also check the version number in the file ~/App_Plugings/UmbracoForms/version)
If your Forms version number is 4.4.0 or higher you should upgrade as soon as possible.
How to upgrade
We have now released the new versions of Forms 4.4, 6 and 7. In order to apply the fixes you should upgrade to the latest patch version first, to make it as easy as possible to update.
- If you are running Forms version 4.4.x, make sure to upgrade to 4.4.7
- If you are running Forms version 6.0.x, make sure to upgrade to 6.0.8
- If you are running Forms version 7.0.x, make sure to upgrade to 7.0.3
We strongly encourage you to upgrade immediately, since the severity of the vulnerability is critical.
A remote code execution vulnerability exists in the core functionality of Umbraco Forms version 4.4.0+. This allows attackers to exploit an Umbraco site, which results in the site being compromised.
We will not reveal the exact nature of the vulnerability in order to make it possible for everybody to prepare and to patch their Forms installs.
We have no indication that this vulnerability is currently being exploited in the wild.
If you have any questions, please reach out to us and we’ll get back to you shortly.
- Umbraco HQ