Original post of this article
19 July 2021 at 12:03 UTC
Updated: 19 July 2021 at 12:05 UTC
‘No indication that this vulnerability is being exploited in the wild’
Umbraco, a content management system (CMS) vendor, has given users of its form-building package a “heads-up” about an imminent software update addressing a remote code execution (RCE) vulnerability.
Discovered by AppCheck security researcher Gary O’Leary-Steele, the flaw in Umbraco Forms could also be exploited to delete arbitrary files, according to a security advisory published on July 15.
All current versions of Umbraco Forms v4.0.0 and up are affected by the vulnerability.
The software developer has urged users to update their systems as soon as possible, once the update lands tomorrow (July 20) at 07:00 UTC.
“Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project,” said the Danish vendor.
Cloud users don’t need to take any action since Umbraco Cloud sites will upgrade automatically tomorrow between 07:00 and 021:00 UTC.
“Currently, we have no indication that this vulnerability is being exploited in the wild,” added Umbraco.
Umbraco is an open source ASP.NET CMS in use by more than 731,000 websites worldwide, according to the vendor.
Umbraco Forms, which is available for $219 per domain but is free for cloud users, is used to build responsive web forms with a choice of input types and reporting functionality.
YOU MIGHT ALSO LIKE Google to bolster Chrome privacy protections with HTTPS-First Mode
“If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch version of your current minor version, no matter what minor version you are using now,” said Umbarco.
Sites running Umbraco Forms version 4 will need to upgrade to the latest version, 4.4.8.
Umbarco recommended that users running a significantly older version than 4.4.7 upgrade to 4.4.7 in advance of the release “to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible”.
Umbraco thanked O’Leary-Steele and AppCheck, a UK-based vulnerability scanning platform, for their help with remediation and “the speed with which they have responded to questions and their help in planning the timeline for rollout and communication”.
On Twitter, O’Leary-Steele in turn commended Umbarco “for working to resolve a reported security flaw from report to fix within days”, and their “constant coms from first report until fix”.
This article may be updated with further details following the release of the security patch tomorrow.