Subrion
CVE-2018-16327
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration.
AnalysisAI
There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. Affected products include: Intelliants Subrion.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Subrion CMS 4.2.1 is vulnerable to SQL Injection via ia.core.mysqli.php. Rated critical severity (CVSS 9.8), this vulner
Subrion 4.2.1 has a remote command execution vulnerability in the backend. Rated high severity (CVSS 8.8), this vulnerab
Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. Rated high severity (CVSS 7.8), this vulner
admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized
Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Rated medium severity (CVSS 6.5
Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or
includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for exam
A Cross-site scripting (XSS) vulnerability in Reference ID from the panel Transactions, of Subrion v4.2.1 allows attacke
A Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allows attackers to exec
A Cross-site scripting (XSS) vulnerability in /panel/languages/ of Subrion v4.2.1 allow attackers to execute arbitrary w
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" i
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today