Researchers at AppCheck have discovered a security issue within Umbraco Forms which could lead to a remote code execution attack and/or arbitrary file deletion. Umbraco are advising everyone be ready for a fix which is to be released 20th July at 7am UTC.
All versions of Umbraco Forms v4.0.0 and up are affected by this vulnerability.
Be ready to apply the patch upon release. Umbraco ‘highly advise’ putting aside the resources to apply this fix as soon as possible. More information on the fix and how to apply is available on the Umbraco website or below.
If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch version of your current minor version, no matter what minor version you are using now. For example:
You are using Forms 8.1.x (8.1.0, 8.1.2 or 8.1.3) right now, you will be able to upgrade to 8.1.4
You are using Forms 7.5.x (7.5.0, 7.5.1, 7.5.2 or 7.5.3) right now, you will be able to upgrade to 7.5.4.
And so on, so for each minor version of Umbraco Forms 6, 7, or 8, there will be a patch version to upgrade to.
For sites running Umbraco Forms version 4 will need to upgrade to the latest version of v4.
We are releasing versions 4.4.8 on July 20
If you’re on a (much) lower version than 4.4.7 right now then you can prepare by upgrading to 4.4.7 in the coming days, to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible.
How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.
All Umbraco Cloud sites will automatically get the security fix applied on July 20th between 7 AM – 9 PM UTC.
Due to the severity of this issue, we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. At the time of writing Umbraco themselves are not sure if the vulnerability is being exploited in the wild.
AppCheck will follow this up with a tech advisory on the 15th of August as agreed with the vendor. Check back for further details.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure.
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: firstname.lastname@example.org
No software to download or install.
Contact us or call us 0113 887 8380