CVE-2022-32173 - Vulnerability Details - OpenCVE

Description

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

Published: 2022-10-03

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OrchardCore

OrchardCore

affected

Version	Status	Constraints
`v0.0.1`	affected	< unspecified
`unspecified`	affected	≤ rc2-13929

Configuration 1 [-]

cpe:2.3:a:orchardcore:orchardcore:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update version to v1.4.0 or later

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7025	In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
Github GHSA	GHSA-5gg9-gwj4-mqmj	OrchardCore vulnerable to HTML injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00191.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136
https://www.mend.io/vulnerability-database/CVE-2022-32173

History

Mon, 16 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Title	OrchardCore - HTML Injection	OrchardCore - HTML Injection

Subscriptions

Orchardcore Orchardcore

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-10-03T12:25:08.390Z

Updated: 2024-09-16T19:15:42.733Z

Reserved: 2022-05-31T00:00:00.000Z

Link: CVE-2022-32173

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-03T13:15:09.737

Modified: 2024-11-21T07:05:52.883

Link: CVE-2022-32173

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "OrchardCore", "vendor": "OrchardCore", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "v0.0.1", "versionType": "custom"}, {"lessThanOrEqual": "rc2-13929", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-09-28T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T12:25:08.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}], "solutions": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "OrchardCore - HTML Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Sep 28, 2022, 12:00:00 AM", "ID": "CVE-2022-32173", "STATE": "PUBLIC", "TITLE": "OrchardCore - HTML Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OrchardCore", "version": {"version_data": [{"version_affected": ">=", "version_value": "v0.0.1"}, {"version_affected": "<=", "version_value": "rc2-13929"}]}}]}, "vendor_name": "OrchardCore"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.mend.io/vulnerability-database/CVE-2022-32173", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"name": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136", "refsource": "MISC", "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}]}, "solution": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.015Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-32173", "datePublished": "2022-10-03T12:25:08.390Z", "dateReserved": "2022-05-31T00:00:00.000Z", "dateUpdated": "2024-09-16T19:15:42.733Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orchardcore:orchardcore:*:*:*:*:*:*:*:*", "matchCriteriaId": "D600A06B-A974-4B92-BB33-8F4E017DD973", "versionEndExcluding": "1.4.0", "versionStartIncluding": "0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}, {"lang": "es", "value": "En OrchardCore versiones rc1-11259 a v1.2.2, es vulnerable a una inyecci\u00f3n de HTML, lo que permite a un usuario autenticado con un rol de seguridad de editor inyectar un componente de di\u00e1logo modal HTML persistente en el tablero de instrumentos que afectar\u00e1 a usuarios administradores"}], "id": "CVE-2022-32173", "lastModified": "2024-11-21T07:05:52.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-03T13:15:09.737", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}]}