Title: Stored Cross-Site Scripting in OrchardCMS
CVE ID: CVE-2022-37720
CVSSv3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Vendor: Orchard Project
Products: OrchardCMS
Advisory Release Date: 14 November 2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-37720
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>
OrchardCMS is vulnerable to a stored XSS when a low privileged user such as an author or publisher, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation when the malicious blog post is loaded in the victim’s browser.
No official patch released by the vendor due to discontinued product
*Upgrade to Orchard Core
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy