Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore


Reported on

Jan 12th 2022


The Stored XSS vulnerability occurs because the menu editing function can insert a JavaScript Scheme as the value of the menu's HREF.

Proof of Concept

1. Go to Content -> Menu -> Edit
2. Enter javascript:alert(document.domain) as the URL value using the Add or Edit menu function.
3. After saving, use the Preview function to access and click the menu in the Bar.

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.


I am sorry because I cannot found ,, code,,

We are processing your report and will contact the orchardcms/orchardcore team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the orchardcms/orchardcore team and are waiting to hear back a year ago
We have sent a follow up to the orchardcms/orchardcore team. We will try again in 7 days. a year ago
orchardcms/orchardcore maintainer
a year ago


I will evaluate the validity of the issue with other maintainers. This is not straightforward since the feature is supposed to let you be able to write custom HTML links on the front-end (this is a CMS). Outcomes could be to protect this feature behind a specific permission.

a year ago


..? The vectors I found do not use HTML Injection. This occurs because the javascript scheme is allowed when creating a simple link. In my experience, there seems to be no javascript scheme validation in this service.

orchardcms/orchardcore maintainer
a year ago


I understand, and many web developers need to create menus that include javascript. This might explain why this input was not "sanitized". This is why I need to talk to other maintainers, to ensure it was not intentional.

a year ago


okay! I understood and I'll wait for your answer. Thank You

orchardcms/orchardcore maintainer validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
orchardcms/orchardcore maintainer marked this as fixed in 1.2.2 with commit 218f25 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
AdminMenu.cs#L3 has been validated
to join this conversation