umbracocmscore7140 security findings and workarounds

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Cuong Dang 1 post 71 karma points

Oct 19, 2021 @ 00:05

0

UmbracoCms.Core:7.14.0 security findings and workarounds

Hi all,

Our website is using UmbracoCms.Core:7.14.0 and was reported 2 security issues below:

CVE-2020-5809 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.

CVE-2020-5810 (OSSINDEX)
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.

We are proposing 2 workarounds as below (to keep using current umbraco version in mean time): 1. Not using & disable TinyMCE in website 2. Validate all upload functions to only allow specific file types (disallow .svg)

Please advise whether 2 workarounds will mitigate these findings, thanks.

Best regards, Charlie

Copy Link
is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies