cbcvebase.
CVE-2020-5810
published 2020-12-30

CVE-2020-5810: A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which…

PriorityP341medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
66.20%
99.2th percentile
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.

Affected

1 ranges
VendorProductVersion rangeFixed in
umbracoumbraco_cms<= 8.9.1

Detection & IOCsextracted from sources · hover to see the quote

path/umbraco/backoffice/UmbracoApi/Users/PostSetUserGroupsOnUsers
cookieUMB-XSRF-TOKEN
  • Monitor HTTP POST requests to the Umbraco Users API endpoint for privilege escalation attempts, particularly requests adding 'admin' to userGroupAliases from non-admin sessions.
  • Alert on uploads of .svg files to the Umbraco media library, especially those containing embedded <script> tags or JavaScript, as these can serve as stored XSS payloads.
  • Inspect the X-UMB-XSRF-TOKEN request header being set programmatically (e.g., via XMLHttpRequest in SVG script content) as an indicator of CSRF token theft and abuse within the XSS payload.
  • ·The stored XSS via SVG upload is only exploitable by authenticated users who have been granted media upload permissions; restrict this privilege to trusted users only.
  • ·The XSS payload achieves privilege escalation only when triggered by an admin user; the impact is conditional on admin interaction with the malicious SVG link.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.