This project is read-only.

Security patch recommended for all versions of Orchard

Topics: Announcements, General
Apr 30, 2013 at 9:31 PM

Security patch recommended for all versions of Orchard


A non-persistent XSS vulnerability has been discovered in the Orchard.Comments module that is distributed with the core distribution of the CMS. The module could in some circumstances let an external website render custom scripts on an Orchard website. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.

All released versions of Orchard are vulnerable and need to be patched immediately.

We are releasing today (April 30, 2013) a new version 1.6.1 of Orchard 1.6 that has the patch in place. This new version is replacing the previously available download. If you are downloading Orchard 1.6.1 today, you do not need to take any additional steps. The latest 1.x development branch is already patched as well. We are also releasing patch files for each version of Orchard from 1.0 to 1.6 that can be applied to existing web sites.


  • If you don't use the Comments module in Orchard, you can simply disable it in the Modules section of the Dashboard.
  • If your theme doesn't render the Messages zone, you are also safe, even if the Comments module is activated.

Action Required

Apply the patch for your version, update to Orchard 1.6.1, or update to the latest 1.x.

Orchard 1.6.1:

For older versions of Orchard, we are releasing patch files that can be applied on top of a running instance of Orchard. The archive for each of these patches contains a Modules folder that has the right structure to be copied into the root directory of an Orchard site. If you are using a source version, you need to copy the contents of the zip file into src/Orchard.Web.
Jun 26, 2013 at 12:32 PM
Hello Sebastien.
  1. Can you tell me how to apply (how to do it) a security patch to version 1.5.5?
  2. If downloading an older versions of Orchard, do you have to apply the security patch also, or is the patch already done in the older versions?
thanks for your answer