CVE-2020-5809

A stored cross-site scripting (XSS) vulnerability exists in Umbraco CMS versions up to and including 8.9.1. The TinyMCE rich-text editor is configured to allow iframes by default, enabling an authenticated user to inject arbitrary JavaScript code into iframes when editing content [1][2]. The injected code is stored and executed when the content is rendered.

An attacker with authenticated access can craft a content update containing a malicious iframe using the srcdoc attribute. The proof-of-concept in the Tenable advisory shows an iframe that, when triggered by an admin, sends an XMLHttpRequest to escalate the attacker's user ID to the admin group [1]. The attack requires the victim to view the compromised content, such as an admin previewing or publishing the content.

Successful exploitation allows an attacker to escalate privileges to admin. Once admin, the attacker could potentially install malicious Umbraco packages, leading to remote code execution [1]. The vulnerability is stored, so the payload persists until removed.

Umbraco has released patches; users should upgrade to a version beyond 8.9.1. The advisory recommends updating to the latest version [1]. No workaround is mentioned, but disabling iframes in TinyMCE configuration could be a temporary measure.