Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Sebastiaan Janssen 5044 posts 15475 karma points MVP admin hq
    Jan 20, 2022 @ 12:11
    Sebastiaan Janssen

    Medium-severity security vulnerability identified in Umbraco CMS

    We're ready to answer your questions in relation to the blog post we just published:

  • MB 113 posts 422 karma points
    Jan 20, 2022 @ 22:00

    Just to clarify - Sites hosted on Umbraco-Cloud - Including Umbraco-7 - are NOT affected by this ?

  • Ronald Barendse 39 posts 217 karma points hq c-trib
    Jan 21, 2022 @ 10:24
    Ronald Barendse

    None of the sites on Umbraco Cloud are affected, because they all use hostname bindings (you can't access a site by just the IP address and therefore can't spoof the hostname either).

    Setting up hostname bindings is kind of a two-way verification: you prove ownership of a hostname/domain by pointing it to the IP address of the webserver and verify ownership of the webserver/hosting package by adding that hostname to the sites bindings. Your site will only work if both are correctly setup, so you can't spoof the hostname anymore.

    You can still set the umbracoApplicationUrl on Umbraco 7+ sites to ensure that URL is always used for e.g. password reset links (this alone would already mitigate the issue). Only Umbraco 8 and 9 have received patches to use a (slightly) safer default and a Health Check to ensure you've set the umbracoApplicationUrl. Umbraco 7 didn't get patched, because this is a medium-severity security vulnerability and there are already multiple ways to mitigate this issue.

  • Sebastiaan Janssen 5044 posts 15475 karma points MVP admin hq
    Jan 21, 2022 @ 11:16
    Sebastiaan Janssen

    ✅ No sites running on Umbraco Cloud are affected.

Please Sign in or register to post replies

Write your reply to: