Description
An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings).
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://burninatorsec.blogspot.com/2021/04/cve-2020-29592-and-cve-2020-29593.html
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/OrchardCMS/Orchard/releases
Scores
CVSS v3
9.8
EPSS
0.0134
EPSS Percentile
80.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
orchardproject/orchard
< 1.10
Published
Apr 14, 2021
Tracked Since
Feb 18, 2026