CVE-2022-32173 - OpenCVE

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Orchardcore	Orchardcore

Configuration 1 [-]

cpe:2.3:a:orchardcore:orchardcore:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136	Patch Third Party Advisory
https://www.mend.io/vulnerability-database/CVE-2022-32173	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mend

Published: 2022-09-28T00:00:00

Updated: 2022-10-03T12:25:08

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32173

JSON object: View

NVD Information

Status : Modified

Published: 2022-10-03T13:15:09.737

Modified: 2023-11-07T03:47:45.077

Link: CVE-2022-32173

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "OrchardCore", "vendor": "OrchardCore", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "v0.0.1", "versionType": "custom"}, {"lessThanOrEqual": "rc2-13929", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-09-28T00:00:00", "descriptions": [{"lang": "en", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T12:25:08", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}], "solutions": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": " OrchardCore - HTML Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Sep 28, 2022, 12:00:00 AM", "ID": "CVE-2022-32173", "STATE": "PUBLIC", "TITLE": " OrchardCore - HTML Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OrchardCore", "version": {"version_data": [{"version_affected": ">=", "version_value": "v0.0.1"}, {"version_affected": "<=", "version_value": "rc2-13929"}]}}]}, "vendor_name": "OrchardCore"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.mend.io/vulnerability-database/CVE-2022-32173", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"name": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136", "refsource": "MISC", "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}]}, "solution": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-32173", "datePublished": "2022-09-28T00:00:00", "dateReserved": "2022-05-31T00:00:00", "dateUpdated": "2022-10-03T12:25:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}