CVE-2020-5811

Vulnerability

Overview

CVE-2020-5811 is an authenticated path traversal vulnerability in Umbraco CMS versions up to and including 8.9.1. The flaw exists during package installation, where insufficient validation of file paths allows an attacker to write files outside the intended site home directory [1][2]. This occurs because the package installation process does not properly sanitize or restrict the destination paths specified within a package manifest.

Exploitation

To exploit this vulnerability, an attacker must be authenticated and have the ability to install packages. By crafting a malicious Umbraco package with path traversal sequences (e.g., ../) in file paths, the attacker can write arbitrary files to arbitrary locations on the server's filesystem [1]. No additional privileges beyond package installation rights are required, though in practice, package installation is typically restricted to administrators.

Impact

Successful exploitation enables an attacker to write files outside the web root, potentially overwriting critical system files, configuration files, or placing a web shell. This can lead to remote code execution (RCE) under the context of the web server [1]. The Tenable advisory notes that if an attacker first escalates privileges via stored XSS (CVE-2020-5809 or CVE-2020-5810), they could then install a malicious package and achieve RCE, making this path traversal a key component in a broader attack chain.

Mitigation

Umbraco has addressed this vulnerability in versions after 8.9.1. Users are strongly advised to upgrade to the latest supported version. No workarounds are documented; restricting package installation to trusted users only can reduce risk but does not eliminate the vulnerability [1][2].