There is a medium-severity security flaw in Umbraco 8, 10, and 11. We have made patches available for all versions to resolve this. We suggest that you upgrade your websites. Details about the problem, the sites that are impacted, and instructions on how to make sure your sites are secure can be found below.
In conjunction with the patches made available on March 21, 2023, a new vulnerability has been found. New updates are now accessible for Umbraco 8, 10, and 11 as a result of the problem having been located and fixed.
Who is impacted?
Affected versions: Umbraco 8.2 and up (8.2.0-8.18.6, 10.0.0-10.4.1, and 11.0.0-11.2.1)
Umbraco 9 is one of the versions that is no longer supported; a patch has not been tried on it. Upgrade to a modified version of Umbraco 10 if your website is still using Umbraco 9. No sites using Umbraco 7 are impacted.
Impact
Only when you are signed in and have access to the Umbraco backoffice can you take advantage of this vulnerability. Users who do not have access to Settings are able to disclose files thanks to the vulnerability.
Although the impact (access to files) is of medium severity, the low-risk conditions under which it could occur have led to the vulnerability’s classification as a medium-severity problem.
How to address the flaw
For each supported major version, patches have been made accessible for the most recent minor. Before the fix can be installed, sites must be updated to the most recent minor version.
Umbraco Cloud
The automated patch tool applies patches to all Umbraco Cloud sites that are running the most recent minor. To guarantee that all sites are using the most recent version, the patches will be pushed out to Umbraco Cloud today.
The patch can be installed using the minor upgrade function if a project is not running the most recent minor version (8.18.x, 10.4.x, or 11.2.x).
Information on the issue
No accounts have surfaced suggesting that the vulnerability had been found and used before the report.