Unrated severityNVD Advisory· Published Jul 14, 2015· Updated May 6, 2026

CVE-2015-5520

Description

Cross-site scripting (XSS) vulnerability in the Users module in Orchard 1.7.3 through 1.8.2 and 1.9.x before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the username when creating a new user account, which is not properly handled when deleting an account.

Affected products

Orchardproject/Orchard5 versions
cpe:2.3:a:orchardproject:orchard:1.7.3:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:orchardproject:orchard:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:orchardproject:orchard:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:orchardproject:orchard:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:orchardproject:orchard:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:orchardproject:orchard:1.9:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.orchardproject.net/Documentation/Patch-20150630nvdPatchVendor Advisory
packetstormsecurity.com/files/132583/Orchard-CMS-1.9.0-1.8.2-1.7.3-Cross-Site-Scripting.htmlnvdExploit
seclists.org/fulldisclosure/2015/Jul/32nvdExploit
projectzero.gr/en/2015/07/orchard-persistent-xss-vulnerability/nvdExploit
www.exploit-db.com/exploits/37533/nvdExploit

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.013
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000