Tuesday, May 15, 2018

Umbraco Forms Security update

Who is affected?

If your are running Umbraco Forms version 4.4.0 or higher, you are affected. If you are running a version below 4.4.0 or any version of Umbraco Contour you are not affected. We have previously reached out to everyone we know has Forms installed to give an early warning regarding this issue, but to be on the safe side, you should check which version of Forms you are running in all of your websites.

You can check your Forms version by logging in to the Backoffice, click on the Forms section and the Dashboard will show the current version number. (You can also check the version number in the file ~/App_Plugings/UmbracoForms/version)

If your Forms version number is 4.4.0 or higher you should upgrade as soon as possible.

How to upgrade

We have now released the new versions of Forms 4.4, 6 and 7. In order to apply the fixes you should upgrade to the latest patch version first, to make it as easy as possible to update.

These releases of Forms can be downloaded from Our Umbraco or from NuGet. The upgrade will require some dll-files to be replaced. Umbraco Cloud sites will be upgraded automatically.

  • If you are running Forms version 4.4.x, make sure to upgrade to 4.4.7
  • If you are running Forms version 6.0.x, make sure to upgrade to 6.0.8
  • If you are running Forms version 7.0.x, make sure to upgrade to 7.0.3

We strongly encourage you to upgrade immediately, since the severity of the vulnerability is critical.

Details

A remote code execution vulnerability exists in the core functionality of Umbraco Forms version 4.4.0+. This allows attackers to exploit an Umbraco site, which results in the site being compromised.

We will not reveal the exact nature of the vulnerability in order to make it possible for everybody to prepare and to patch their Forms installs.

We have no indication that this vulnerability is currently being exploited in the wild.

Questions

If you have any questions, please reach out to us and we’ll get back to you shortly.

- Umbraco HQ

Related Story

Sofie's Docs Diary Vol. 2: Umbraco Cloud

Where to start? When it comes to the Umbraco documentation there’s a lot of places I could choose to start. But then I thought - where can I make the most impact the fastest and easiest? Umbraco Cloud. So that’s what I’ve been tidying and improving recently - and oh boy, looking at it now, the structure is much friendlier and easier to follow (not to toot my own horn too loudly 😉 )

Number of active installs
443.450
Number of active members in the community
220.022
Known free Umbraco packages available
320

Want to be updated on everything Umbraco?

Sign up for Umbraco newsletters and offers

Are you sure, that's your real e-mail?