Umbraco, a content management system (CMS) vendor, has given users of its form-building package a “heads-up” about an imminent software update addressing a remote code execution (RCE) vulnerability.
Discovered by AppCheck security researcher Gary O’Leary-Steele, the flaw in Umbraco Forms could also be exploited to delete arbitrary files, according to a security advisory published on July 15.
All current versions of Umbraco Forms v4.0.0 and up are affected by the vulnerability.
The software developer has urged users to update their systems as soon as possible, once the update lands tomorrow (July 20) at 07:00 UTC.
“Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project,” said the Danish vendor.
Cloud users don’t need to take any action since Umbraco Cloud sites will upgrade automatically tomorrow between 07:00 and 21:00 UTC.
“Currently, we have no indication that this vulnerability is being exploited in the wild,” Umbraco added.
Pre-advisory
Umbraco is an open source ASP.NET-based CMS in use by more than 731,000 websites worldwide, according to the vendor.
Umbraco Forms, which is available for $219 per domain but is free for cloud users, is used to build responsive web forms with a choice of input types and reporting functionality.
“If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch[ed] version of your current minor version, no matter what minor version you are using now,” said Umbarco.
Sites running Umbraco Forms version 4 will need to upgrade to the latest version, 4.4.8.
Umbarco recommended that users running a significantly older version than 4.4.7 upgrade to that version in advance of the release “to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible”.
Umbraco thanked O’Leary-Steele and AppCheck, a UK-based vulnerability scanning platform, for their help with remediation and “the speed with which they have responded to questions and their help in planning the timeline for rollout and communication”.
On Twitter, O’Leary-Steele in turn commended Umbarco “for working to resolve a reported security flaw from report to fix within days”, and their “constant coms from first report until fix”.
The researcher also said that AppCheck would be publishing technical analysis of the vulnerability in four weeks’ time in order to give users time to apply the updates.
Umbraco declined to comment further in response to a query from The Daily Swig.
This article may be updated with further details following the release of the security patch tomorrow.
