Lucene search

GitHub Advisory DatabaseGHSA-MXV3-QCMF-R6WJ

HistoryMay 14, 2022 - 1:31 a.m.

Subrion CMS XSS

2022-05-1401:31:22

CWE-79

GitHub Advisory Database

github.com

subrion cms

v4.2.1

xss

file upload

panel

svg

javascript

script element

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.

Affected configurations

Vulners

Node

intelliantssubrionRange≤4.2.1

VendorProductVersionCPE
intelliantssubrion*cpe:2.3:a:intelliants:subrion:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
intelliants	subrion	*	cpe:2.3:a:intelliants:subrion::::::::

References

github.com/advisories/GHSA-mxv3-qcmf-r6wj

github.com/intelliants/subrion/commit/fbc29ddb29e9c9732695e25ad2c22e038eed6385

github.com/intelliants/subrion/issues/777

github.com/security-breachlock/CVE-2018-16629/blob/master/subrion_cms.pdf

nvd.nist.gov/vuln/detail/CVE-2018-16629

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for GHSA-MXV3-QCMF-R6WJ