UmbracoCms.Core:7.14.0 security findings and workarounds
Hi all,
Our website is using UmbracoCms.Core:7.14.0 and was reported 2 security issues below:
CVE-2020-5809 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
CVE-2020-5810 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.
We are proposing 2 workarounds as below (to keep using current umbraco version in mean time):
1. Not using & disable TinyMCE in website
2. Validate all upload functions to only allow specific file types (disallow .svg)
Please advise whether 2 workarounds will mitigate these findings, thanks.
UmbracoCms.Core:7.14.0 security findings and workarounds
Hi all,
Our website is using UmbracoCms.Core:7.14.0 and was reported 2 security issues below:
CVE-2020-5809 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
CVE-2020-5810 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.
We are proposing 2 workarounds as below (to keep using current umbraco version in mean time): 1. Not using & disable TinyMCE in website 2. Validate all upload functions to only allow specific file types (disallow .svg)
Please advise whether 2 workarounds will mitigate these findings, thanks.
Best regards, Charlie
is working on a reply...