CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41948
https://notcve.org/view.php?id=CVE-2021-41948
29 Apr 2022 — A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects". Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin "contact us" para Subrion CMS versiones anteriores a 4.2.1 incluyéndola, por medio de "List of subjects" • https://github.com/intelliants/subrion-plugin-contact_us/issues/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23761
https://notcve.org/view.php?id=CVE-2020-23761
09 Apr 2021 — Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en subrion CMS versiones anteriores a 4.2.1 incluyéndola, permite a atacantes remotos ejecutar un script web arbitrario por medio de la columna "payment gateway" en la pestaña de transacciones • http://hidden-one.co.in/2021/04/09/cve-2020-23761-stored-xss-vulnerability-in-subrion-cms-version • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12469
https://notcve.org/view.php?id=CVE-2020-12469
29 Apr 2020 — admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. El archivo admin/blocks.php en Subrion CMS versiones hasta 4.2.1, permite una inyección de objetos PHP (con una eliminación de archivos resultante) por medio de datos serializados en el valor de las subpáginas dentro de un bloque para bloquear y editar. • https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Insecure%20Deserialization/Subpages%20-%20Authenticated%20PHP%20Object%20Injection • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-21037
https://notcve.org/view.php?id=CVE-2018-21037
17 Mar 2020 — Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. Subrion CMS versión 4.1.5 (y posiblemente versiones anteriores), permiten un ataque de tipo CSRF para cambiar la contraseña de administrador por medio del URI panel/members/edit/1. • https://github.com/intelliants/subrion/issues/638 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15063
https://notcve.org/view.php?id=CVE-2017-15063
06 Oct 2017 — There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database. Existen vulnerabilidades de Cross-Site Request Forgery (CSRF) en Subrion CMS en versiones 4.1.x hasta la 4.1.5 y en versiones anteriores a la 4.2.0 debido a un error de lógica. Aunque existen funcionalidades para detectar CSRF... • https://github.com/intelliants/subrion/issues/547 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-10795
https://notcve.org/view.php?id=CVE-2017-10795
02 Jul 2017 — Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Subrion CMS 4.1.4 y anteriores permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el cuerpo de blog/add/. Esta vulnerabilidad es diferente de CVE-2017-6069. • http://www.securityfocus.com/bid/99378 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •