Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-572q-86rr-5vgq] Umbraco Rich Text Display allows Cross-Site Scripting #5270

Open
wants to merge 1 commit into
base: AndyButland/advisory-improvement-5270
Choose a base branch
from
Open

[GHSA-572q-86rr-5vgq] Umbraco Rich Text Display allows Cross-Site Scripting #5270

wants to merge 1 commit into from
+5 −9

Conversation

AndyButland
Copy link

Updates

  • CVSS v3
  • Description
  • References
  • Severity

Comments
I head up the CMS team at Umbraco and have responsibility for the product in question.

I've suggested some updates here but my first request would actually be for you to consider to please remove this. This is for a few reasons:

  1. The issue raised is already documented with a solution (https://docs.umbraco.com/umbraco-cms/reference/security/serverside-sanitizing). To summarise, the potential attack is only possible via authenticated users, who have been manually allowed access to the CMS, providing content for presentation on the website. We have taken a deliberate decision to not apply HTML sanitization at the product level, potentially changing user's content in ways they don't expect. Rather we provide a hook so a customer can use their own preferred library or website to do this. Most customers do not feel this is necessary for their setup but for those that do, they have the option to implement it.

  2. The raising of the issue didn't follow our documented security policy: https://umbraco.com/trust-center/security-and-umbraco/how-to-report-a-vulnerability-in-umbraco/. Rather the details were simply published to a blog rather than reaching out to us: https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display/

  3. The write-up claims a response from Umbraco, but references a single comment from someone external to the Umbraco organisation responding on a public forum: Adding a Warning Label to the Rich Text Editor umbraco/Umbraco-CMS#17658

  4. The write-up you reference contains several inaccuracies and links to irrelevant code updates, so is causing confusion for our users.

In terms of the updates I've made if you do feel this needs to remain in your database:

  • I've provided further information in the description about the scope of the exploit, our consideration on the matter and how we provide users with the option to handle it should they feel it's necessary for their situation/
  • On the CVE score I've corrected "privileges required" (you have to be authenticated to use the exploit) "user interaction" to required (as you have to have been granted access to the system by a human) and "confidentiality" to none (as the exploit is about writing information, not reading). Please of course review, but I believe that's reasonable.
  • Removed some irrelevant links and added one to our own documentation of the issue and resolution for customers that want to use it.

Thanks very much for your help with this matter.

@github-actions github-actions bot changed the base branch from main to AndyButland/advisory-improvement-5270 February 13, 2025 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AndyButland