Vulnerability in EPiServer.Forms

Introduction
We recently fixed a potential security vulnerability for the Optimizely Forms addon, customers may face this issue with any Forms version, the problem will happen when using a CMS function without noticing its noted behaviors. It could lead to losing security protection for some of the end-users' data.

Risk
Overall, the risk of vulnerability is high, especially if your website uses content indexing services (like Find or other search engines).

Mitigation 

The issue has been fixed in EPiServer.Forms v5.7.0 (AFORM-3620) for CMS 12 and v4.31.0 for CMS 11. Please upgrade to those versions as soon as possible.

For DXP service customers:

• Mitigation is in place for all DXP service customers.
• Update (October 27): To clarify, we have mitigated existing vulnerable vectors, but packages SHOULD be updated to mitigate the risk of reintroducing the vulnerability!

Affected versions
Any Forms version before 5.7.0 (CMS12) or Forms 4.31.0 (CMS11). 

Remediation
If using the affected versions of EPiServer.Forms listed above, please update to version 5.7.0 (CMS12) or Forms 4.31.0 (CMS11).

Please reach out to our support for further guidance by email to support@optimizely.com or submit a request at https://support.optimizely.com/hc/en-us.

Questions

If you have any questions, please contact our support team (with assistance from our security engineering team) at support@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.