CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4CVE-2020-35437 – Subrion CMS 4.2.1 - 'avatar[path]' XSS
https://notcve.org/view.php?id=CVE-2020-35437
26 Dec 2020 — Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI. Subrion CMS versión 4.2.1, está afectado por: una vulnerabilidad Cross Site Scripting (XSS) por medio del parámetro avatar(path) en una petición POST en el URI /_core/profile/ Subrion CMS version 4.2.1 suffers from a cross site scripting vulnerability. Original discovered of cross site scripting in this version is attributed to Ismail Tasdelen in July of 2018. • https://packetstorm.news/files/id/160783 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7357
https://notcve.org/view.php?id=CVE-2019-7357
10 Nov 2020 — Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. Subrion CMS versión 4.2.1, presenta una vulnerabilidad de tipo CSRF en el archivo panel/modules/plugins/. El atacante puede activar y desactivar los plugins remotamente • https://github.com/ngpentest007/CVE-2019-7357 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7356
https://notcve.org/view.php?id=CVE-2019-7356
04 Nov 2020 — Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. Subrion CMS versión v4.2.1, permite un ataque de tipo XSS por medio del parámetro panel/phrases/VALUE • https://github.com/ngpentest007/CVE-2019-7356 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20389 – Subrion CMS 4.2.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-20389
14 May 2020 — An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding. Se identificó un problema de tipo XSS en Subrion CMS versión 4.2.1, en la página de configuración /panel/configuration/general. Un atacante remoto puede inyectar código JavaScript arbitrario en el parámetro v[langu... • https://packetstorm.news/files/id/157699 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20390 – Subrion CMS 4.2.1 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-20390
14 May 2020 — A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim. Se detectó una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Subrion CMS versió... • https://packetstorm.news/files/id/157700 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12467
https://notcve.org/view.php?id=CVE-2020-12467
29 Apr 2020 — Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Subrion CMS versión 4.2.1, permite una fijación de la sesión por medio de un valor alfanumérico en la cookie de sesión. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Session%20Fixation • CWE-384: Session Fixation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12468
https://notcve.org/view.php?id=CVE-2020-12468
29 Apr 2020 — Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/. Subrion CMS versión 4.2.1, permite la inyección CSV por medio de un valor de frase dentro de un lenguaje. Esto está relacionado con phrases/add/ y languages/download/. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/CSV%20Injection •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12469
https://notcve.org/view.php?id=CVE-2020-12469
29 Apr 2020 — admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. El archivo admin/blocks.php en Subrion CMS versiones hasta 4.2.1, permite una inyección de objetos PHP (con una eliminación de archivos resultante) por medio de datos serializados en el valor de las subpáginas dentro de un bloque para bloquear y editar. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Insecure%20Deserialization/Subpages%20-%20Authenticated%20PHP%20Object%20Injection • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-21037
https://notcve.org/view.php?id=CVE-2018-21037
17 Mar 2020 — Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. Subrion CMS versión 4.1.5 (y posiblemente versiones anteriores), permiten un ataque de tipo CSRF para cambiar la contraseña de administrador por medio del URI panel/members/edit/1. • https://github.com/intelliants/subrion/issues/638 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-17225 – Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17225
06 Oct 2019 — Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue. Subrion versión 4.2.1, permite un ataque de tipo XSS por medio del campo Username, Full Name, o Email de panel/members/, también se conoce como un problema de "Admin Member JSON Update". Subrion version 4.2.1 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/154746 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •