Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Orchard Core by Orchardcore
CVE-2020-37019 (GCVE-0-2020-37019)
Vulnerability from nvd – Published: 2026-01-30 16:16 – Updated: 2026-06-23 16:13
VLAI
EPSS
VEX
Title
Orchard Core RC1 - Persistent Cross-Site Scripting
Summary
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
Severity
6.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48456 | exploit |
| http://www.orchardcore.net/ | product |
| https://github.com/OrchardCMS/OrchardCore | product |
| https://github.com/OrchardCMS/OrchardCore/issues/5802 | issue-tracking |
| https://www.vulncheck.com/advisories/orchard-core… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orchardcore | Orchard Core |
Affected:
1.0
|
Date Public
2020-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T16:32:14.487709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T16:32:21.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Orchard Core",
"vendor": "Orchardcore",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchardcore:orchardcore:1.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchardcore:orchard_core:1.0.0:-:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SunCSR (Sun* Cyber Security Research)"
}
],
"datePublic": "2020-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:03.898Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48456",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48456"
},
{
"name": "Orchard Core Official Website",
"tags": [
"product"
],
"url": "http://www.orchardcore.net/"
},
{
"name": "Orchard Core GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/OrchardCMS/OrchardCore"
},
{
"name": "GitHub Issue #5802",
"tags": [
"issue-tracking"
],
"url": "https://github.com/OrchardCMS/OrchardCore/issues/5802"
},
{
"name": "VulnCheck Advisory: Orchard Core RC1 - Persistent Cross-Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/orchard-core-rc-persistent-cross-site-scripting"
}
],
"title": "Orchard Core RC1 - Persistent Cross-Site Scripting",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37019",
"datePublished": "2026-01-30T16:16:39.149Z",
"dateReserved": "2026-01-28T18:18:30.522Z",
"dateUpdated": "2026-06-23T16:13:03.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37019 (GCVE-0-2020-37019)
Vulnerability from cvelistv5 – Published: 2026-01-30 16:16 – Updated: 2026-06-23 16:13
VLAI
EPSS
VEX
Title
Orchard Core RC1 - Persistent Cross-Site Scripting
Summary
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers.
Severity
6.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48456 | exploit |
| http://www.orchardcore.net/ | product |
| https://github.com/OrchardCMS/OrchardCore | product |
| https://github.com/OrchardCMS/OrchardCore/issues/5802 | issue-tracking |
| https://www.vulncheck.com/advisories/orchard-core… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orchardcore | Orchard Core |
Affected:
1.0
|
Date Public
2020-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T16:32:14.487709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T16:32:21.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Orchard Core",
"vendor": "Orchardcore",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchardcore:orchardcore:1.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orchardcore:orchard_core:1.0.0:-:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SunCSR (Sun* Cyber Security Research)"
}
],
"datePublic": "2020-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:03.898Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48456",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48456"
},
{
"name": "Orchard Core Official Website",
"tags": [
"product"
],
"url": "http://www.orchardcore.net/"
},
{
"name": "Orchard Core GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/OrchardCMS/OrchardCore"
},
{
"name": "GitHub Issue #5802",
"tags": [
"issue-tracking"
],
"url": "https://github.com/OrchardCMS/OrchardCore/issues/5802"
},
{
"name": "VulnCheck Advisory: Orchard Core RC1 - Persistent Cross-Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/orchard-core-rc-persistent-cross-site-scripting"
}
],
"title": "Orchard Core RC1 - Persistent Cross-Site Scripting",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37019",
"datePublished": "2026-01-30T16:16:39.149Z",
"dateReserved": "2026-01-28T18:18:30.522Z",
"dateUpdated": "2026-06-23T16:13:03.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}