Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Cuong Dang 1 post 71 karma points
    Oct 19, 2021 @ 00:05
    Cuong Dang
    0

    UmbracoCms.Core:7.14.0 security findings and workarounds

    Hi all,

    Our website is using UmbracoCms.Core:7.14.0 and was reported 2 security issues below:

    CVE-2020-5809 (OSSINDEX)
    A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.

    CVE-2020-5810 (OSSINDEX)
    A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.

    We are proposing 2 workarounds as below (to keep using current umbraco version in mean time): 1. Not using & disable TinyMCE in website 2. Validate all upload functions to only allow specific file types (disallow .svg)

    Please advise whether 2 workarounds will mitigate these findings, thanks.

    Best regards, Charlie

Please Sign in or register to post replies

Write your reply to:

Draft