CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7356
https://notcve.org/view.php?id=CVE-2019-7356
04 Nov 2020 — Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. Subrion CMS versión v4.2.1, permite un ataque de tipo XSS por medio del parámetro panel/phrases/VALUE • https://github.com/ngpentest007/CVE-2019-7356 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20389 – Subrion CMS 4.2.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-20389
14 May 2020 — An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding. Se identificó un problema de tipo XSS en Subrion CMS versión 4.2.1, en la página de configuración /panel/configuration/general. Un atacante remoto puede inyectar código JavaScript arbitrario en el parámetro v[langu... • https://packetstorm.news/files/id/157699 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20390 – Subrion CMS 4.2.1 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-20390
14 May 2020 — A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim. Se detectó una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Subrion CMS versió... • https://packetstorm.news/files/id/157700 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12467
https://notcve.org/view.php?id=CVE-2020-12467
29 Apr 2020 — Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Subrion CMS versión 4.2.1, permite una fijación de la sesión por medio de un valor alfanumérico en la cookie de sesión. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Session%20Fixation • CWE-384: Session Fixation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12468
https://notcve.org/view.php?id=CVE-2020-12468
29 Apr 2020 — Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/. Subrion CMS versión 4.2.1, permite la inyección CSV por medio de un valor de frase dentro de un lenguaje. Esto está relacionado con phrases/add/ y languages/download/. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/CSV%20Injection •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12469
https://notcve.org/view.php?id=CVE-2020-12469
29 Apr 2020 — admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. El archivo admin/blocks.php en Subrion CMS versiones hasta 4.2.1, permite una inyección de objetos PHP (con una eliminación de archivos resultante) por medio de datos serializados en el valor de las subpáginas dentro de un bloque para bloquear y editar. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Insecure%20Deserialization/Subpages%20-%20Authenticated%20PHP%20Object%20Injection • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-17225 – Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17225
06 Oct 2019 — Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue. Subrion versión 4.2.1, permite un ataque de tipo XSS por medio del campo Username, Full Name, o Email de panel/members/, también se conoce como un problema de "Admin Member JSON Update". Subrion version 4.2.1 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/154746 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11406
https://notcve.org/view.php?id=CVE-2019-11406
08 May 2019 — Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter. Subrion CMS 4.2.1 permite _core/es/contactos/XSS a través de los parámetros de nombre, correo electrónico o teléfono. • https://github.com/intelliants/subrion/commits/develop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16629
https://notcve.org/view.php?id=CVE-2018-16629
04 Dec 2018 — panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. panel/uploads/#elf_l1_XA en Subrion CMS v4.2.1 permite Cross-Site Scripting (XSS) mediante un archivo SVG con JavaScript en un elemento SCRIPT. • https://github.com/security-breachlock/CVE-2018-16629/blob/master/subrion_cms.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16631
https://notcve.org/view.php?id=CVE-2018-16631
04 Dec 2018 — Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter. Subrion CMS v4.2.1 permite Cross-Site Scripting (XSS) mediante el parámetro SITE TITLE en panel/configuration/general/. • https://github.com/security-breachlock/CVE-2018-16631/blob/master/Subrion_cms.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •