CVE-2020-37019
Persistent XSS in Orchard Core RC1 Blog Post MarkdownBodyPart
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orchardcms | orchardcore | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37019 is a persistent cross-site scripting (XSS) vulnerability in Orchard Core RC1. It allows remote attackers to inject malicious JavaScript code through the MarkdownBodyPart.Source parameter when creating blog posts. This malicious script is stored and later executed in the browsers of users who view the compromised blog post, enabling arbitrary script execution. [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing arbitrary scripts in the browsers of users who view the infected blog posts. Potential impacts include session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, and other malicious activities that compromise user security and privacy. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the endpoint `/Admin/Contents/ContentTypes/BlogPost/Create` for suspicious payloads containing script tags or JavaScript code in the `MarkdownBodyPart.Source` parameter. For example, you can use network traffic inspection tools or web server logs to search for POST requests with payloads like `<script>alert(document.cookie)</script>`. A command example using grep on web server logs could be: `grep -i '<script>' /path/to/access.log | grep '/Admin/Contents/ContentTypes/BlogPost/Create'`. Additionally, scanning for the presence of stored scripts in blog posts rendered by Orchard Core could help identify exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor-provided hotfix or patch that restricts rendering of <script> tags by default in content parts, as discussed in the Orchard Core GitHub issue #5802. Ensure that only authorized users (Editors) have permission to edit front-end templates and inject custom scripts, while restricting Contributors from doing so. Implement filtering or sanitization of input in the `MarkdownBodyPart.Source` parameter to prevent script injection. If a patch is not yet applied, consider disabling blog post creation or editing features for untrusted users until the fix is deployed. [1, 2]