Miggo Logo
Miggo Vulnerability Database
CVE-2022-32173

CVE-2022-32173: OrchardCore vulnerable to HTML injection

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-32173
GHSA ID
GHSA-5gg9-gwj4-mqmj
EPSS Score
0.42336%
CWE
CWE-79
Published
10/4/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OrchardCorenuget>= 1.0.0-rc1-11259, < 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete HTML sanitization in the ConfigureHtmlSanitizer configuration. The patch explicitly removes the 'form' tag from AllowedTags (sanitizer.AllowedTags.Remove("form")), indicating this was the attack vector. The AddHtmlSanitizer method in OrchardCoreBuilderExtensions.cs is responsible for configuring the sanitizer's allow-list, making it the root of the vulnerability. The presence of 'form' in allowed tags prior to v1.4.0 allowed attackers to inject modal dialogs with form elements, as demonstrated in the PoC.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Or***r**or* v*rsions st*rtin* wit* *.*.*-r**-***** *n* prior to *.*.* *r* vuln*r**l* to *TML inj**tion. T** vuln*r**ility *llows *n *ut**nti**t** us*r wit* *n **itor s**urity rol* to inj**t * p*rsist*nt *TML mo**l *i*lo* *ompon*nt into t** **s**o*r*

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *TML s*nitiz*tion in t** *on*i*ur**tmlS*nitiz*r *on*i*ur*tion. T** p*t** *xpli*itly r*mov*s t** '*orm' t** *rom *llow**T**s (s*nitiz*r.*llow**T**s.R*mov*("*orm")), in*i**tin* t*is w*s t** *tt**k v**tor. T** ***