Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Umbraco flags pending security patch for RCE vulnerability in forms package

Umbraco, a content management system (CMS) vendor, has given users of its form-building package a “heads-up” about an imminent software update addressing a remote code execution (RCE) vulnerability.

Discovered by AppCheck security researcher Gary O’Leary-Steele, the flaw in Umbraco Forms could also be exploited to delete arbitrary files, according to a security advisory published on July 15.

All current versions of Umbraco Forms v4.0.0 and up are affected by the vulnerability.

The software developer has urged users to update their systems as soon as possible, once the update lands tomorrow (July 20) at 07:00 UTC.

“Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project,” said the Danish vendor.

Cloud users don’t need to take any action since Umbraco Cloud sites will upgrade automatically tomorrow between 07:00 and 21:00 UTC.

“Currently, we have no indication that this vulnerability is being exploited in the wild,” Umbraco added.

Pre-advisory

Umbraco is an open source ASP.NET-based CMS in use by more than 731,000 websites worldwide, according to the vendor.

Umbraco Forms, which is available for $219 per domain but is free for cloud users, is used to build responsive web forms with a choice of input types and reporting functionality.

“If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch[ed] version of your current minor version, no matter what minor version you are using now,” said Umbarco.

Sites running Umbraco Forms version 4 will need to upgrade to the latest version, 4.4.8.

Umbarco recommended that users running a significantly older version than 4.4.7 upgrade to that version in advance of the release “to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible”.

Umbraco thanked O’Leary-Steele and AppCheck, a UK-based vulnerability scanning platform, for their help with remediation and “the speed with which they have responded to questions and their help in planning the timeline for rollout and communication”.

On Twitter, O’Leary-Steele in turn commended Umbarco “for working to resolve a reported security flaw from report to fix within days”, and their “constant coms from first report until fix”.

The researcher also said that AppCheck would be publishing technical analysis of the vulnerability in four weeks’ time in order to give users time to apply the updates.

Advertisement. Scroll to continue reading.

Umbraco declined to comment further in response to a query from The Daily Swig.

This article may be updated with further details following the release of the security patch tomorrow.

Source: https://portswigger.net/daily-swig/umbraco-flags-pending-security-patch-for-rce-vulnerability-in-forms-package

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO