An Orchard Security Patch was just released to combat an XSS Security Flaw in connection with the Orchard CMS Blog Comment Module. Orchard.Comments is a core module in Orchard CMS so all Orchard Website Owners are asked to patch Orchard.Comments with a recently released security patch. This XSS vulnerability exists in all versions of Orchard CMS up to and including 1.6, so anyone running versions of Orchard CMS prior to Orchard 1.6.1 should apply the patch.

Orchard Security Path

The Orchard Security Patch is available here. Apply this patch to Orchard Websites running Orchard 1.6 or earlier.

Orchard CMS 1.6.1

An Orchard CMS 1.6.1 download was also created that includes the security patch. Therefore Orchard Web Developers should be using Orchard 1.6.1 to develop all new Orchard Websites. Websites running on Orchard 1.6.1 do not need to add the XSS Security Patch as it already contains the patch.

You can download Orchard CMS 1.6.1 here. It may take a couple of days before Orchard 1.6.1 is available via the Azure Web Gallery and the WebMatrix Web Gallery so verify they are indeed installing Orchard Version 1.6.1 before beginning development.