CVE-2022-32173 - Vulnerability Details - OpenCVE

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.002.

Key SSVC decision points have not yet been added.

Vendors	Products
Orchardcore	Orchardcore

Configuration 1 [-]

cpe:2.3:a:orchardcore:orchardcore:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7025	In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
Github GHSA	GHSA-5gg9-gwj4-mqmj	OrchardCore vulnerable to HTML injection

Fixes

Solution

Update version to v1.4.0 or later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136
https://www.mend.io/vulnerability-database/CVE-2022-32173

History

Mon, 16 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Title	OrchardCore - HTML Injection	OrchardCore - HTML Injection

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-10-03T12:25:08.390383Z

Updated: 2024-09-16T19:15:42.733Z

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32173

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-03T13:15:09.737

Modified: 2024-11-21T07:05:52.883

Link: CVE-2022-32173

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "OrchardCore", "vendor": "OrchardCore", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "v0.0.1", "versionType": "custom"}, {"lessThanOrEqual": "rc2-13929", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-09-28T00:00:00", "descriptions": [{"lang": "en", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T12:25:08", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}], "solutions": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "OrchardCore - HTML Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Sep 28, 2022, 12:00:00 AM", "ID": "CVE-2022-32173", "STATE": "PUBLIC", "TITLE": "OrchardCore - HTML Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OrchardCore", "version": {"version_data": [{"version_affected": ">=", "version_value": "v0.0.1"}, {"version_affected": "<=", "version_value": "rc2-13929"}]}}]}, "vendor_name": "OrchardCore"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.mend.io/vulnerability-database/CVE-2022-32173", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"name": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136", "refsource": "MISC", "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}]}, "solution": [{"lang": "en", "value": "Update version to v1.4.0 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.015Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-32173", "datePublished": "2022-10-03T12:25:08.390383Z", "dateReserved": "2022-05-31T00:00:00", "dateUpdated": "2024-09-16T19:15:42.733Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orchardcore:orchardcore:*:*:*:*:*:*:*:*", "matchCriteriaId": "D600A06B-A974-4B92-BB33-8F4E017DD973", "versionEndExcluding": "1.4.0", "versionStartIncluding": "0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users."}, {"lang": "es", "value": "En OrchardCore versiones rc1-11259 a v1.2.2, es vulnerable a una inyecci\u00f3n de HTML, lo que permite a un usuario autenticado con un rol de seguridad de editor inyectar un componente de di\u00e1logo modal HTML persistente en el tablero de instrumentos que afectar\u00e1 a usuarios administradores"}], "id": "CVE-2022-32173", "lastModified": "2024-11-21T07:05:52.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-03T13:15:09.737", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32173"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}]}