Umbraco
Book a discovery call
Book a discovery call
Umbraco

Umbraco Forms Security update

Jacob Midtgaard-Olesen
Written by Jacob Midtgaard-Olesen

Due to a critical security issue in Umbraco Forms, we recommend that you make sure your Umbraco Forms is running the latest version.
We have released a fix that you should install immediately to close the vulnerability. This vulnerability is currently not being exploited in the wild.
Umbraco Cloud sites will be upgraded automatically and no action is needed.

Who is affected?

If your are running Umbraco Forms version 4.4.0 or higher, you are affected. If you are running a version below 4.4.0 or any version of Umbraco Contour you are not affected. We have previously reached out to everyone we know has Forms installed to give an early warning regarding this issue, but to be on the safe side, you should check which version of Forms you are running in all of your websites.

You can check your Forms version by logging in to the Backoffice, click on the Forms section and the Dashboard will show the current version number. (You can also check the version number in the file ~/App_Plugings/UmbracoForms/version)

If your Forms version number is 4.4.0 or higher you should upgrade as soon as possible.

How to upgrade

We have now released the new versions of Forms 4.4, 6 and 7. In order to apply the fixes you should upgrade to the latest patch version first, to make it as easy as possible to update.

These releases of Forms can be downloaded from Our Umbraco or from NuGet. The upgrade will require some dll-files to be replaced. Umbraco Cloud sites will be upgraded automatically.

  • If you are running Forms version 4.4.x, make sure to upgrade to 4.4.7
  • If you are running Forms version 6.0.x, make sure to upgrade to 6.0.8
  • If you are running Forms version 7.0.x, make sure to upgrade to 7.0.3

We strongly encourage you to upgrade immediately, since the severity of the vulnerability is critical.

Details

A remote code execution vulnerability exists in the core functionality of Umbraco Forms version 4.4.0+. This allows attackers to exploit an Umbraco site, which results in the site being compromised.

We will not reveal the exact nature of the vulnerability in order to make it possible for everybody to prepare and to patch their Forms installs.

We have no indication that this vulnerability is currently being exploited in the wild.

Questions

If you have any questions, please reach out to us and we’ll get back to you shortly.

- Umbraco HQ

  • Published: May 15, 2018
  • Read time: 2 min. read