Umbraco has identified a medium-severity security issue. The vulnerability could potentially allow for phishing attempts.

Patches have been released for all supported versions of the CMS, we advise that the patches be applied as soon as possible.

The security issue is not publicly known.

Which versions are affected?

Versions affected: Umbraco 8.18.5-8.18.13, 10.5.0-10.8.5, 12.0.0-12.3.9 , 13.0.0-13.3.0

• Umbraco 11 is likely to be affected, however, due to being end-of-life will not be patched, the advice here is to upgrade to version12 or 13
• Umbraco versions before 8.18.5 are not affected

How to fix the issue

Patches are available for versions 8, 10, 12 and 13.

The upgrade process is to update to the latest minor to resolve the issue.

Please reach out to the agency or developer responsible for your website, alternatively please reach out to us if you are interested in our patching and support SLA.

What's known about the vulnerability

Please see the Security Advisory about the details on the GitHub repository.

There have been no reports that the vulnerability has been exploited prior to being reported.

The Issue

Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerability is exposed.

Due to the impact of a successful exploit, the vulnerability has been classified as medium severity.

Further details

Umbraco will release further details about the vulnerability on 21st June 2024, this will give reasonable time for the patches to be applied.

You can read more about the vulnerability on the Umbraco blog here.