CVE-2020-5809

Name of the Vulnerable Software and Affected Versions Umbraco CMS versions prior to 8.9.2

Description A stored XSS issue exists, allowing an authenticated user to inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor. This is possible because TinyMCE is configured to allow iframes by default in Umbraco CMS.

Recommendations For Umbraco CMS versions prior to 8.9.2, update to version 8.9.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of iframes in the TinyMCE rich-text editor until a patch is available. Restrict access to the TinyMCE editor to minimize the risk of exploitation.