Umbraco HQ announced a medium-severity security issue affecting versions of Umbraco from Umbraco 8 to Umbraco 11, including the now out of support Umbraco 9. All customers are advised to have their sites updated with the available patches.
Updated 29 March 2023: Umbraco have announced an additional patch release due to another vulnerability found. The level of impact has not changed however.
As per common practice, details of the exploit have not been released, however we do know that Umbraco 7 is not affected by this vulnerability. We also know that the exploit only applies once you've logged in and have access to the Umbraco backoffice (the content editing and configuration environment for the site hosted on Umbraco).
If your site is running on Umbraco Cloud you should still have someone review your sites and ensure that the upgrade has been successfully completed.
Details on the vulnerability and how to upgrade can be found on Umbraco HQ's blog here: Security Advisory, March 21, 2023: Patch is now available (umbraco.com).
If you would like support or assistance in upgrading your site reach out to us and we'll be glad to help.