About the software
Orchard is a free, open source, community-focused content management system written in ASP.NET platform using the ASP.NET MVC framework. Its vision is to create shared components for building ASP.NET applications and extensions, and specific applications that leverage these components to meet the needs of end-users, scripters, and developers.
The version of Orchard affected by this issue are 1.7.3, 1.8.2 and 1.9.0. Version below 1.7.3 are not affected
A persistent XSS vulnerability was discovered in the Users module that is distributed with the core distribution of the CMS. The issue potentially allows elevation of privileges by tricking an administrator to execute some custom crafted script on his behalf. The issue affects the Username field, since a user is allowed to register a username containing potentially dangerous characters.
More information can be found here
Proof Of Concept
1. Attacker registers a new user account with username e.x <script>alert(“XSS”)</script>
2. The administrator attempts to delete the account using the Users core module.
3. Once the administrator clicks on the “delete” action, the XSS payload is executed.
2015-06-10 Vulnerability reported to Orchard CMS development team
2015-06-12 Response and issue verification
2015-06-30 Update and patch release
2015-07-06 Public Disclosure
Reported by Paris Zoumpouloglou
 Full Disclosure
 CVE Details