CVE-2020-5809: XSS
First published: Wed Dec 30 2020(Updated: )
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
Credit: vulnreport@tenable.com vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/UmbracoCms.Core | <=8.9.1 | |
| Umbraco Umbraco Cms | <=8.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5809?
CVE-2020-5809 is a stored XSS vulnerability that exists in Umbraco CMS versions <= 8.9.1 or current.
How does the vulnerability in Umbraco CMS CVE-2020-5809 work?
An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor in Umbraco CMS, as TinyMCE is configured to allow iframes by default.
Is Umbraco CMS version 8.9.1 affected by CVE-2020-5809?
Yes, Umbraco CMS version 8.9.1 is affected by CVE-2020-5809.
How severe is the vulnerability in Umbraco CMS CVE-2020-5809?
The severity of the vulnerability in Umbraco CMS CVE-2020-5809 is medium, with a severity score of 5.4.
How can I fix the vulnerability in Umbraco CMS CVE-2020-5809?
To fix the vulnerability in Umbraco CMS CVE-2020-5809, it is recommended to update to a version higher than 8.9.1 or apply the necessary security patches.
- collector/github-advisory-latest
- alias/GHSA-95qr-67rx-9pgh
- alias/CVE-2020-5809
- collector/nvd-index
- collector/nvd-cve
- agent/weakness
- agent/description
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- package-manager/nuget
- vendor/umbraco
- canonical/umbraco umbraco cms
- version/umbraco umbraco cms/8.9.1