Umbraco CMS vulnerable to stored XSS

GHSA-95qr-67rx-9pgh · CVE-2020-5809

Published May 24, 2022 · Modified Feb 16, 2024

Description

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-5809
PACKAGE https://github.com/umbraco/Umbraco-CMS
WEB https://www.tenable.com/security/research/tra-2020-59

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes