Skip to content

OrchardCore vulnerable to HTML injection

Moderate severity GitHub Reviewed Published Oct 4, 2022 to the GitHub Advisory Database • Updated Jan 27, 2023

Package

nuget OrchardCore (NuGet)

Affected versions

>= 1.0.0-rc1-11259, < 1.4.0

Patched versions

1.4.0

Description

OrchardCore versions starting with 1.0.0-rc1-11259 and prior to 1.4.0 are vulnerable to HTML injection. The vulnerability allows an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users. Version 1.4.0 contains a patch.

References

Published by the National Vulnerability Database Oct 3, 2022
Published to the GitHub Advisory Database Oct 4, 2022
Reviewed Oct 4, 2022
Last updated Jan 27, 2023

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2022-32173

GHSA ID

GHSA-5gg9-gwj4-mqmj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.