CVE-2020-23761
Description
Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Subrion CMS <= 4.2.1 allows attackers to execute arbitrary web script via the payment gateway field on transactions tab.
Vulnerability
Subrion CMS versions up to and including 4.2.1 are vulnerable to a stored cross-site scripting (XSS) flaw. The vulnerability exists in the "payment gateway" column on the transactions tab, where an attacker can inject arbitrary JavaScript code that is stored and later executed when the column is rendered [2].
Exploitation
To exploit this vulnerability, an attacker must have access to the administrative interface and the ability to modify payment gateway settings. The attacker injects malicious script into the payment gateway name field. When an administrator views the transactions tab, the stored script executes in their browser context [2].
Impact
Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's session. This can lead to theft of sensitive information, session hijacking, or defacement of admin pages. The attack compromises the confidentiality and integrity of the admin panel [2].
Mitigation
As of the publication date (2021-04-09), no official patch was available for CVE-2020-23761. Users of Subrion CMS <= 4.2.1 should consider upgrading to a newer version if available, or apply strict input validation and sanitization on the payment gateway field. Disabling the transactions tab feature may be a temporary workaround [2][1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
intelliants/subrionPackagist | <= 4.2.1 | — |
Affected products
2- subrion/subrion CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-xhc3-5pgf-p576ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-23761ghsaADVISORY
- hidden-one.co.in/2021/04/09/cve-2020-23761-stored-xss-vulnerability-in-subrion-cms-versionghsaWEB
- hidden-one.co.in/2021/04/09/cve-2020-23761-stored-xss-vulnerability-in-subrion-cms-version/mitrex_refsource_MISC
- subrion.orgghsaWEB
- subrion.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.