CVE-2021-41502

Vulnerability

Overview

CVE-2021-41502 is a stored cross-site scripting (XSS) vulnerability in Subrion CMS version 4.2.1. The flaw resides in the image upload functionality during blog editing. By manipulating the filename of an uploaded image—specifically by closing an HTML tag or adding an onerror attribute—an attacker can inject malicious JavaScript code that is stored on the server and executed when the page is viewed [1][3].

Exploitation

Details

To exploit this vulnerability, an attacker must have the ability to edit a blog entry that contains an uploaded image. The attack is performed by intercepting the save request (e.g., via Burp Suite) and modifying the image[file] parameter to include a payload such as "onerror="alert(/xss/) [3]. No authentication bypass is required; the attacker simply needs a valid account with blog editing privileges. The injected payload is stored in the database and rendered unsanitized when any user (including administrators) visits the affected blog page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data, or further attacks against the CMS instance. Since the XSS is stored, every visitor to the compromised blog page is affected, amplifying the potential damage [1][3].

Mitigation

As of the publication date, Subrion CMS v4.2.1 is the affected version. Users should upgrade to a patched release if available. The official GitHub repository [2] may contain fixes in later commits. No workaround is documented; sanitizing image filenames on the server side would mitigate the issue. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.