Umbraco has identified four, unrelated medium-severity security issues. These vulnerabilities may allow for potential code execution and enable malicious users to exploit cookies.

Patches have been released for all supported versions of the CMS, we advise that the patches be applied as soon as possible.

The security issue is not publicly known.

Which versions are affected?

Versions affected: Umbraco 8.0.0-8.18.14, 10.0.0-10.8.6, 13.0.0-13.5.1, 14.0.0-14.3.0

• Umbraco 8 is affected by 2 medium-severity issues
• Umbraco 10 is affected by 3 medium-severity issues
• Umbraco 13 is affected by 3 medium-severity issues
• Umbraco 14 is affected by 1 medium-severity issue

How to fix the issue

Patches are available for versions 8, 10, 13 and 14.

The upgrade process is to update to the latest minor to resolve the issue.

Please reach out to the agency or developer responsible for your website, alternatively please reach out to us if you are interested in our patching and support SLA.

What's known about the vulnerability

Please see the below security advisories:

• Stored XSS in the “dictionary name” on Dictionary section
• Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
• Incomplete Server Termination During Explicit Sign-Out
• Logout page displayed before session expiration

There have been no reports that the vulnerability has been exploited prior to being reported.

The Impact

All of the issues require authenticated access to the backoffice, meaning an attacker must first log in to the backoffice to exploit them. Additionally the complexity to carry out the attacks is high.

Further details

Umbraco will release further details about the vulnerabilities at a later date to ensure there is enough time to apply the patches.

You can read more about the vulnerabilites on the Umbraco blog here.