Phu Nguyen
Oct 25, 2023
  9425
(4 votes)

Vulnerability in EPiServer.Forms

Introduction
We recently fixed a potential security vulnerability for the Optimizely Forms addon, customers may face this issue with any Forms version, the problem will happen when using a CMS function without noticing its noted behaviors. It could lead to losing security protection for some of the end-users' data.

Risk
Overall, the risk of vulnerability is high, especially if your website uses content indexing services (like Find or other search engines).

Mitigation 

The issue has been fixed in EPiServer.Forms v5.7.0 (AFORM-3620) for CMS 12 and v4.31.0 for CMS 11. Please upgrade to those versions as soon as possible.

For DXP service customers:

  • Mitigation is in place for all DXP service customers.
  • Update (October 27): To clarify, we have mitigated existing vulnerable vectors, but packages SHOULD be updated to mitigate the risk of reintroducing the vulnerability!

Affected versions
Any Forms version before 5.7.0 (CMS12) or Forms 4.31.0 (CMS11). 

Remediation
If using the affected versions of EPiServer.Forms listed above, please update to version 5.7.0 (CMS12) or Forms 4.31.0 (CMS11).

Please reach out to our support for further guidance by email to support@optimizely.com or submit a request at https://support.optimizely.com/hc/en-us.

Questions

If you have any questions, please contact our support team (with assistance from our security engineering team) at support@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.

Oct 25, 2023

Comments

Matthew Boniface
Matthew Boniface Oct 26, 2023 11:02 PM

We are just about to DNS cutover for go-live for a customer on Monday (30th October) and so this post is very concerning for us!
Unfortunately, the post is too ambiguous to make an effective assessment whether this is needing to be fixed (and regression tested) before we go-live.
 
The post does not detail what the exploit is, so I cannot determine how/if this vulnerability should be a concern for our client and/or if there is any other workarounds.
 
Also, the mitigations suggest that the packages should be upgraded but then separately states "Mitigation is in place for all DXP service customers". These come across as conflicting statements - it is unclear if that latter statement means that a DXP hosted client does therefore not need to update the packages?

Phu Nguyen
Phu Nguyen Oct 27, 2023 01:17 AM

Hi Matthew Boniface, I know your concern, and I must say we're so sorry for that, but this blog is public, so we cannot give too many details about this vulnerability here.
But I can tell you that not all customers using Forms have this issue on their sites, and this security issue is not easily exploitable. We also took several actions to patch the issue and protect our customers' data on DXP, so all DXP customers' data is now secure. But for safety reasons, we still recommend you update Forms to the latest version.

Tomas Hensrud Gulla
Tomas Hensrud Gulla Oct 29, 2023 08:32 PM

Is the email address for questions correct?

Bien Nguyen
Bien Nguyen Oct 30, 2023 02:38 AM

Tomas Hensrud Gulla Not sure why your outlook says that but yes, it's the correct email address. Maybe it's the dot (.) at the end that caused it?

Tomas Hensrud Gulla
Tomas Hensrud Gulla Oct 30, 2023 09:05 AM

🤦‍♂️You are absolutely correct...

Aniket
Aniket Dec 8, 2023 12:10 AM

Looks like there's a hard dependency on .NET 6.0. We have a client on .NET Framework 4.8.1 so this cannot be installed on CMS 11? Am I missing something?

If I try to install I get the following error:

You are trying to install this package into a project that targets '.NETFramework,Version=v4.8', but the package does not contain any assembly references or content files that are compatible with that

Matthew Boniface
Matthew Boniface Dec 8, 2023 01:49 AM

Hi Aniket,

If you install EPiServer.Forms 4.31.0 (optimizely.com) (i.e. v4.31.0) it won't have a dependency on .NET 6 and should work fine on your .NET 4.8.1

Kind regards, Matt

Please login to comment.
Latest blogs
PageCriteriaQueryService builder with Blazor and MudBlazor

This might be a stupid idea but my new years resolution was to do / test more stuff so here goes. This razor component allows users to build and...

Per Nergård (MVP) | Feb 10, 2025

Enhancing Optimizely CMS Multi-Site Architecture with Structured Isolation

The main challenge of building an Optimizely CMS website is to think about its multi site capabilities up front. Making adjustment after the fact c...

David Drouin-Prince | Feb 9, 2025 | Syndicated blog

How to: set access right to folders

Today I stumped upon this question Solution for Handling File Upload Permissions in Episerver CMS 12, and there is a simple solution for that Using...

Quan Mai | Feb 7, 2025 | Syndicated blog

Poking around in the new Visual Builder and the SaaS CMS

Early findings from using a SaaS CMS instance and the new Visual Builder grids.

Johan Kronberg | Feb 7, 2025 | Syndicated blog

Be careful with your (order) notes

This happened a quite ago but only now I have had time to write about it. Once upon a time, I was asked to look into a customer database (in a big...

Quan Mai | Feb 5, 2025 | Syndicated blog

Imagevault download picker

This open source extension enables you to download images as ImageData with ContentReference from the ImageVault picker. It serves as an alternativ...

Luc Gosso (MVP) | Feb 4, 2025 | Syndicated blog