Subrion Cms
Monthly
Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. [CVSS 6.1 MEDIUM]
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. [CVSS 6.1 MEDIUM]
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.