CVE-2020-37019

MEDIUM

Orchard Core RC1 - Stored Cross-Site Scripting via Blog Post MarkdownBodyPart.Source Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37019. PoCs published by SunCSR.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Orchard Core RC1. It shows how an attacker can inject arbitrary JavaScript code via the blog post creation or editing functionality, which is then stored and executed when the content is viewed.

Description

Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.

Exploits (1)

exploitdb WORKING POC

by SunCSR · textwebappsaspx

https://www.exploit-db.com/exploits/48456

View Code ZIP pw:eip

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Orchard Core RC1. It shows how an attacker can inject arbitrary JavaScript code via the blog post creation or editing functionality, which is then stored and executed when the content is viewed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Orchard Core RC1

Auth required

Prerequisites: Access to the admin panel for creating or editing blog posts · Valid __RequestVerificationToken

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48456

Various Sources product

http://www.orchardcore.net/

Various Sources product

https://github.com/OrchardCMS/OrchardCore

Issue Tracking issue-tracking patch

https://github.com/OrchardCMS/OrchardCore/issues/5802

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/orchard-core-rc-persistent-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0040

EPSS Percentile 31.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Jan 30, 2026

Tracked Since Feb 18, 2026