Skip to content

Security patch recommended for all versions of Orchard

建议所有版本的Orchard使用安全补丁

Background

背景

A persistent XSS vulnerability has been discovered by Paris Zoumpouloglou , Project Zero in the Users module that is distributed with the core distribution of the CMS.

Paris Zoumpouloglou [Project Zero]发现了一个持久的[XSS](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))漏洞(http://projectzero.gr/en/ )在与CMS的核心分发一起分发的_Users_模块中。

The issue potentially allows elevation of privileges by tricking an administrator to execute some custom crafted script on his behalf.

该问题可能通过欺骗管理员代表他执行某些自定义脚本来提升权限。

The version of Orchard affected by this issue are 1.7.3, 1.8.2 and 1.9.0. Version below 1.7.3 are not affected.

受此问题影响的Orchard版本为1.7.3,1.8.2和1.9.0。低于1.7.3的版本不受影响。

To mitigate the vulnerability, don't click links in the users management page that appear to contain HTML.

要缓解此漏洞,请不要单击用户管理页面中似乎包含HTML的链接。

Action Required

需要采取的行动

  • Apply the patch for your version or update to Orchard 1.9.1

  • 将修补程序应用于您的版本或更新到Orchard 1.9.1 *

We are releasing a patch file for versions 1.7.3 to 1.9.1 that can be applied on top of a running instance of Orchard.

我们正在发布版本1.7.3到1.9.1的补丁文件,该文件可以应用于正在运行的Orchard实例之上。

The archive for each of these patches contains a Modules folder that has the right structure to be copied into the root directory of an Orchard site.

每个修补程序的存档都包含一个Modules文件夹,该文件夹具有要复制到Orchard站点根目录的正确结构。

If you are using a source version, you need to copy the contents of the zip file into src/Orchard.Web.

如果您使用的是源版本,则需要将zip文件的内容复制到src / Orchard.Web中。

You can find patches for all other previous versions here https://github.com/OrchardCMS/Orchard/releases/tag/1.9.1

您可以在此处找到所有其他先前版本的补丁https://github.com/OrchardCMS/Orchard/releases/tag/1.9.1