Description
Cross-site scripting (XSS) vulnerability in the Users module in Orchard 1.7.3 through 1.8.2 and 1.9.x before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the username when creating a new user account, which is not properly handled when deleting an account.
Exploits (1)
References (5)
Core 5
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/132583/Orchard-CMS-1.9.0-1.8.2-1.7.3-Cross-Site-Scripting.html
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Jul/32
Exploit x_refsource_misc
https://projectzero.gr/en/2015/07/orchard-persistent-xss-vulnerability/
Patch, Vendor Advisory x_refsource_confirm
http://docs.orchardproject.net/Documentation/Patch-20150630
Exploit exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/37533/
Scores
EPSS
0.1581
EPSS Percentile
94.8%
Details
CWE
CWE-79
Status
published
Products (5)
orchardproject/orchard
1.7.3
orchardproject/orchard
1.8
orchardproject/orchard
1.8.1
orchardproject/orchard
1.8.2
orchardproject/orchard
1.9
Published
Jul 14, 2015
Tracked Since
Feb 18, 2026