Miggo Logo

CVE-2022-0159: orchardcore is vulnerable to Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.44009%
Published
1/21/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OrchardCorenuget< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper output encoding in Razor views. Key issues included:

  1. Directly rendering user-controlled values (e.g., item.Text, typeDisplayName) without encoding via Html.Encode() or Html.Raw().
  2. The patches consistently addressed these by either removing Html.Raw() (relying on Razor's default encoding) or explicitly adding Html.Encode(). High-confidence examples include views like Manage.cshtml and Create.cshtml, where unencoded rendering of dynamic data was corrected. Controller changes (e.g., DashboardController) also contributed by simplifying data flow, but the primary XSS vectors were in view rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

or***r**or* is vuln*r**l* to Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*')

Reasoning

T** vuln*r**ility st*mm** *rom improp*r output *n*o*in* in R*zor vi*ws. K*y issu*s in*lu***: *. *ir**tly r*n**rin* us*r-*ontroll** v*lu*s (*.*., `it*m.T*xt`, `typ**ispl*yN*m*`) wit*out *n*o*in* vi* `*tml.*n*o**()` or `*tml.R*w()`. *. T** p*t***s *ons