Intelliants: Security Vulnerabilities
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
CVSS Score
6.1
EPSS Score
0.035
Published
2018-08-02
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-10-06
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
CVSS Score
9.8
EPSS Score
0.786
Published
2017-07-19
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-19
Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-07-02
Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add any blog entry, and can optionally insert XSS into that entry via the body parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-03-27
Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the query parameter.
CVSS Score
9.8
EPSS Score
0.006
Published
2017-03-27
Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-03-27
Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-03-27
Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-03-27