Orchard Security Update
Background
On April 30, 2013 we released a security update for a discovered non-persistent XSS vulnerability targeting all versions of Orchard. For more information on this kind of vulnerability please read this http://en.wikipedia.org/wiki/Cross-site_scripting.
For the official announcement please read http://docs.orchardproject.net/Documentation/Patch-4-30-2013
Issue
The Comments module provided by default Orchard could in some circumstances let an external website render custom scripts on an Orchard website. As a matter of fact you should never click on buttons from untrusted websites. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.
Action required
Apply the patches provided for your version on the http://orchard.codeplex.com websites in the Downloads section, or update to Orchard 1.6.1.
Mitigation
- If you don't use the Comments module in Orchard, you can simply disable it in the Modules section of the Dashboard.
- If your theme doesn't render the Messages zone, you are also safe, even if the Comments module is activated.