CVE-2020-22392
Description
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Subrion CMS 4.2.2 via blog image file name injection allows arbitrary script execution.
Vulnerability
Stored XSS vulnerability exists in Subrion CMS version 4.2.2 when adding a blog post and editing an image file. The unsanitized file parameter allows injection of malicious JavaScript. [3]
Exploitation
An attacker can create a blog post, upload an image, then edit the image file name to include an onerror event, e.g., x onerror=alert(/xss/). Browsing the blog triggers the XSS. [3]
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser, potentially allowing theft of session cookies, defacement, or other client-side attacks.
Mitigation
No fix has been released as of the publication date. The issue is tracked on GitHub but remains unpatched. Users should restrict access to blog editing or apply input sanitization manually. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
intelliants/subrionPackagist | <= 4.2.1 | — |
Affected products
2- Subrion/CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-hxj6-v58r-cqv3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-22392ghsaADVISORY
- github.com/intelliants/subrion/issues/868ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.