| 0 |
| url |
VCID-3bwe-5b6b-a7e2 |
| vulnerability_id |
VCID-3bwe-5b6b-a7e2 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping added to the tooltip information being displayed in multiple areas. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-14835, GHSA-c8mg-wp7h-f2pf
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3bwe-5b6b-a7e2 |
|
| 1 |
| url |
VCID-3h1n-dvmt-5qhz |
| vulnerability_id |
VCID-3h1n-dvmt-5qhz |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: 'Minimum deposit', 'Maximum deposit' and/or 'Maximum balance'. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-43830, GHSA-q832-2275-rfqh
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3h1n-dvmt-5qhz |
|
| 2 |
| url |
VCID-3hbd-spm4-2kaz |
| vulnerability_id |
VCID-3hbd-spm4-2kaz |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of Subrion CMS v.4.2.1 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost, dbname, dbuser, adminusername and adminemail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-43875, GHSA-646r-8fcc-p82r
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3hbd-spm4-2kaz |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| url |
VCID-94z6-as1s-pkem |
| vulnerability_id |
VCID-94z6-as1s-pkem |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-22392, GHSA-hxj6-v58r-cqv3
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-94z6-as1s-pkem |
|
| 10 |
|
| 11 |
|
| 12 |
| url |
VCID-abws-hvpw-myfy |
| vulnerability_id |
VCID-abws-hvpw-myfy |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Subrion 4.2.1 has a remote command execution vulnerability in the backend. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/intelliants/subrion/issues/909 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-06T16:02:20Z/ |
|
|
| url |
https://github.com/intelliants/subrion/issues/909 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-46947, GHSA-2x28-c7j7-23gv
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-abws-hvpw-myfy |
|
| 13 |
| url |
VCID-by36-7n26-g7cc |
| vulnerability_id |
VCID-by36-7n26-g7cc |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-16629, GHSA-mxv3-qcmf-r6wj
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-by36-7n26-g7cc |
|
| 14 |
|
| 15 |
| url |
VCID-ekj6-hqpd-5ybq |
| vulnerability_id |
VCID-ekj6-hqpd-5ybq |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multilple Cross Site Scripting (XSS) vulnerability exists in Intelliants Subrion CMS v4.2.1 in the Configuration panel. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-18325, GHSA-pcwq-7wrw-r8jv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ekj6-hqpd-5ybq |
|
| 16 |
|
| 17 |
| url |
VCID-fc5n-dcez-93fn |
| vulnerability_id |
VCID-fc5n-dcez-93fn |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects". |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-41948, GHSA-jv64-2m3x-6v4q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fc5n-dcez-93fn |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
| url |
VCID-j8ge-mhfk-ebd9 |
| vulnerability_id |
VCID-j8ge-mhfk-ebd9 |
| summary |
Subrion CMS vulnerable to cross-site scripting
Multiple reflected Cross-site Scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allow attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-70958, GHSA-9jjm-mc56-3qxv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j8ge-mhfk-ebd9 |
|
| 22 |
| url |
VCID-jqzh-mw8h-23bv |
| vulnerability_id |
VCID-jqzh-mw8h-23bv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Cross-site scripting (XSS) vulnerability in /panel/languages/ of Subrion v4.2.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Title' parameter. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-43828, GHSA-4w2j-wj9q-6wpx
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jqzh-mw8h-23bv |
|
| 23 |
|
| 24 |
| url |
VCID-ngpm-xvdu-sybs |
| vulnerability_id |
VCID-ngpm-xvdu-sybs |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval(). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-43464, GHSA-g54x-29xv-58h5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ngpm-xvdu-sybs |
|
| 25 |
|
| 26 |
| url |
VCID-qwxk-wzqe-7kdp |
| vulnerability_id |
VCID-qwxk-wzqe-7kdp |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Cross-site scripting (XSS) vulnerability in Reference ID from the panel Transactions, of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Reference ID' parameter. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-43884, GHSA-7vff-rv2f-cj79
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qwxk-wzqe-7kdp |
|
| 27 |
| url |
VCID-r136-w6fm-t7fc |
| vulnerability_id |
VCID-r136-w6fm-t7fc |
| summary |
Unrestricted Upload of File with Dangerous Type
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-19422, GHSA-73xj-v6gc-g5p5
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r136-w6fm-t7fc |
|
| 28 |
|
| 29 |
|
| 30 |
| url |
VCID-sqbf-5a82-yucu |
| vulnerability_id |
VCID-sqbf-5a82-yucu |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.1 via the q parameter in the Kickstart template. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-18324, GHSA-xj7h-g7rh-gjcw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sqbf-5a82-yucu |
|
| 31 |
| url |
VCID-vzeg-42da-euej |
| vulnerability_id |
VCID-vzeg-42da-euej |
| summary |
Cross-Site Request Forgery (CSRF)
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-18326, GHSA-9cc3-5w85-pxvx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vzeg-42da-euej |
|
| 32 |
|