CVE-2022-37720
CRITICALCVSS v3.1: 9.0 · EPSS: 0.0096 (57.4 percentile)
Source data as of:
At a glance
- Severity
- CRITICAL
- CVSS
- 9.0 v3.1 · NVD
- EPSS
- 0.0096 (57.4 percentile) · FIRST.org
- CISA KEV
- No
- Type
- XSS · NVD CWE
- Attack conditions (CVSS vector)
- Network · Source: NVD Vector
- Affected vendors
- orchardcore
- Published
- 2022-11-25 · Modified: 2026-07-05
- References
- Jump to references (3)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Orchardproject Orchard CMS 1.10.3 is vulnerable to Cross Site Scripting (XSS). When a low privileged user such as an author or publisher, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation when the malicious blog post is loaded in the victim's browser.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference http://orchardproject.com
- Vendor advisory https://labs.integrity.pt/advisories/cve-2022-37720/
- Reference http://orchard.com