lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 06 Jul 2015 13:45:30 +0300
From: Paris Zoumpouloglou <>
Subject: [FD] Orchard CMS - Persistent XSS vulnerability


Orchard is a free, open source, community-focused content management
system written in ASP.NET platform using the ASP.NET MVC framework. Its
vision is to create shared components for building ASP.NET applications
and extensions, and specific applications that leverage these components
to meet the needs of end-users, scripters, and developers.

Software Version

The version of Orchard affected by this issue are 1.7.3, 1.8.2 and
1.9.0. Version below 1.7.3 are not affected


A persistent XSS vulnerability was discovered in the Users module that
is distributed with the core distribution of the CMS. The issue
potentially allows elevation of privileges by tricking an administrator
to execute some custom crafted script on his behalf. The issue affects
the Username field, since a user is allowed to register a username
containing potentially dangerous characters.

More information can be found here

Proof of Concept

1. Attacker registers a new user account with username e.x
2. The administrator attempts to delete the account using the Users core
3. Once the administrator clicks on the "delete" action, the XSS payload
is executed.




2015-06-10 Vulnerability reported to Orchard CMS development team
2015-06-12 Response and issue verification
2015-06-30 Update and patch release
2015-07-06 Public Disclosure


Reported by Paris Zoumpouloglou of Project Zero labs

Paris Zoumpouloglou

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists