OrchardCore - HTML Injection
Description
In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OrchardCoreNuGet | >= 1.0.0-rc1-11259, < 1.4.0 | 1.4.0 |
Affected products
2- OrchardCore/OrchardCorev5Range: v0.0.1
Patches
Vulnerability mechanics
Root cause
"The HTML sanitizer allowed the `"
Attack vector
An authenticated user with an editor security role can inject a persistent HTML modal dialog component into the dashboard by crafting content that includes a `
Affected code
The vulnerability is in the HTML sanitizer configuration in `src/OrchardCore/OrchardCore.Infrastructure/Html/OrchardCoreBuilderExtensions.cs`. The sanitizer allowed the `
What the fix does
The patch in [patch_id=1641465] removes the `
Preconditions
- authAttacker must be authenticated with an editor security role
- inputAttacker must have access to a content editor that accepts HTML input
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5gg9-gwj4-mqmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-32173ghsaADVISORY
- github.com/OrchardCMS/OrchardCore/commit/0163c88ddeaca39815d7e6e5ea1c8391085cc136ghsax_refsource_MISCWEB
- github.com/OrchardCMS/OrchardCore/pull/11729ghsaWEB
- www.mend.io/vulnerability-database/CVE-2022-32173ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.