CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20390 – Subrion CMS 4.2.1 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-20390
14 May 2020 — A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim. Se detectó una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Subrion CMS versió... • https://packetstorm.news/files/id/157700 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12467
https://notcve.org/view.php?id=CVE-2020-12467
29 Apr 2020 — Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Subrion CMS versión 4.2.1, permite una fijación de la sesión por medio de un valor alfanumérico en la cookie de sesión. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Session%20Fixation • CWE-384: Session Fixation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12468
https://notcve.org/view.php?id=CVE-2020-12468
29 Apr 2020 — Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/. Subrion CMS versión 4.2.1, permite la inyección CSV por medio de un valor de frase dentro de un lenguaje. Esto está relacionado con phrases/add/ y languages/download/. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/CSV%20Injection •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12469
https://notcve.org/view.php?id=CVE-2020-12469
29 Apr 2020 — admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. El archivo admin/blocks.php en Subrion CMS versiones hasta 4.2.1, permite una inyección de objetos PHP (con una eliminación de archivos resultante) por medio de datos serializados en el valor de las subpáginas dentro de un bloque para bloquear y editar. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Insecure%20Deserialization/Subpages%20-%20Authenticated%20PHP%20Object%20Injection • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-21037
https://notcve.org/view.php?id=CVE-2018-21037
17 Mar 2020 — Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. Subrion CMS versión 4.1.5 (y posiblemente versiones anteriores), permiten un ataque de tipo CSRF para cambiar la contraseña de administrador por medio del URI panel/members/edit/1. • https://github.com/intelliants/subrion/issues/638 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-17225 – Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17225
06 Oct 2019 — Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue. Subrion versión 4.2.1, permite un ataque de tipo XSS por medio del campo Username, Full Name, o Email de panel/members/, también se conoce como un problema de "Admin Member JSON Update". Subrion version 4.2.1 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/154746 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11317
https://notcve.org/view.php?id=CVE-2018-11317
03 Jul 2019 — Subrion CMS before 4.1.4 has XSS. Subrion CMS en versiones anteriores a la 4.1.4 tiene Cross-Site Scripting (XSS). • https://github.com/intelliants/subrion/blob/610b21d3ff185bd287d55fe016d4266abf04a3bf/includes/classes/ia.admin.sitemap.php#L79-L83 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16327
https://notcve.org/view.php?id=CVE-2018-16327
01 Sep 2018 — There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. Hay Cross-Site Scripting (XSS) persistente en Subrion 4.2.1 mediante la configuración de URL del panel de administrador. • https://github.com/intelliants/subrion/issues/771 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15563 – Subrion CMS 4.2.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-15563
21 Aug 2018 — _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. _core/admin/pages/add/ en Subrion CMS 4.2.1 tiene Cross-Site Scripting (XSS) mediante el parámetro titles[en]. Subrion CMS version 4.2.1 suffers from persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/149017 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14840 – Subrion CMS 4.2.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-14840
02 Aug 2018 — uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads). uploads/.htaccess en Subrion CMS 4.2.1 permite Cross-Site Scripting (XSS) debido a que no bloquea las subidas de archivo .html (pero sí bloquea las subidas de archivos .htm, por ejemplo). Subrion CMS version 4.2.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/148815 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •