Umbraco CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Umbraco CMS versions through 14.3.1. This vulnerability allows authenticated users with access to the CMS to execute arbitrary web scripts or HTML by injecting a crafted payload. The issue arises from a lack of server-side input sanitization in the rich text editing feature, which uses TinyMCE as the editor. While the client-side editor attempts to sanitize input, the server-side API does not, leaving a gap that can be exploited by sending HTTP requests to update documents with malicious content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content. This could lead to theft of credentials and private data, logging of keystrokes, or performing actions on behalf of the user in their session.

Reproduction

To reproduce this vulnerability, create a Document Type in Umbraco CMS 14.3.1 or below that includes a Rich Text Editor property. Once the document type is set up, create a new document and upload a payload, such as a script tag containing JavaScript, through the rich text editor. After saving and publishing the document, the injected script will execute when the content is viewed.

Remediation

Umbraco has acknowledged this vulnerability but has not implemented a server-side fix. CMS administrators are advised to apply their own input sanitization using the IHtmlSanitizer interface or to avoid using the rich text editor altogether.