Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore

Valid

Reported on

Jan 12th 2022

Description

The Stored XSS vulnerability occurs because the menu editing function can insert a JavaScript Scheme as the value of the menu's HREF.

Proof of Concept

1. Go to Content -> Menu -> Edit
2. Enter javascript:alert(document.domain) as the URL value using the Add or Edit menu function.
3. After saving, use the Preview function to access and click the menu in the Bar.

Video : https://youtu.be/tAzuDCUhSZ4

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

AdminMenu.cs L3

I am sorry because I cannot found ,, code,,

We are processing your report and will contact the orchardcms/orchardcore team within 24 hours. a year ago

Pocas modified the report

a year ago

We have contacted a member of the orchardcms/orchardcore team and are waiting to hear back a year ago

We have sent a follow up to the orchardcms/orchardcore team. We will try again in 7 days. a year ago

A orchardcms/orchardcore maintainer

commented a year ago

Maintainer

I will evaluate the validity of the issue with other maintainers. This is not straightforward since the feature is supposed to let you be able to write custom HTML links on the front-end (this is a CMS). Outcomes could be to protect this feature behind a specific permission.

Pocas

commented a year ago

Researcher

..? The vectors I found do not use HTML Injection. This occurs because the javascript scheme is allowed when creating a simple link. In my experience, there seems to be no javascript scheme validation in this service.

A orchardcms/orchardcore maintainer

commented a year ago

Maintainer

I understand, and many web developers need to create menus that include javascript. This might explain why this input was not "sanitized". This is why I need to talk to other maintainers, to ensure it was not intentional.

Pocas

commented a year ago

Researcher

okay! I understood and I'll wait for your answer. Thank You

A orchardcms/orchardcore maintainer validated this vulnerability a year ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

A orchardcms/orchardcore maintainer marked this as fixed in 1.2.2 with commit 218f25 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

AdminMenu.cs#L3 has been validated

to join this conversation

We are processing your report and will contact the orchardcms/orchardcore team within 24 hours. a year ago

Pocas modified the report

a year ago

We have contacted a member of the orchardcms/orchardcore team and are waiting to hear back a year ago

We have sent a follow up to the orchardcms/orchardcore team. We will try again in 7 days. a year ago

A orchardcms/orchardcore maintainer

commented a year ago

Maintainer

Pocas

commented a year ago

Researcher

A orchardcms/orchardcore maintainer

commented a year ago

Maintainer

Pocas

commented a year ago

Researcher

okay! I understood and I'll wait for your answer. Thank You

A orchardcms/orchardcore maintainer validated this vulnerability a year ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

A orchardcms/orchardcore maintainer marked this as fixed in 1.2.2 with commit 218f25 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

AdminMenu.cs#L3 has been validated

to join this conversation