CVE-2021-43464
Description
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subrion CMS 4.2.1 allows authenticated admin users to execute arbitrary PHP code via unsanitized eval() in the background field.
Vulnerability
Subrion CMS version 4.2.1 contains a remote code execution vulnerability in the background field configuration. An authenticated administrator can supply arbitrary PHP code in the "Validation PHP code" field when editing a custom field (e.g., a Facebook field). This input is stored in the database and later executed via eval() when the field is modified by a user on the frontend (/profile/?edit). No further input sanitization or filtering is applied to the code before execution. [1], [3]
Exploitation
An attacker must have administrative access to the Subrion CMS backend (i.e., be logged in as an admin). From the admin panel, the attacker navigates to Fields, selects a field (e.g., Facebook), opens its settings, marks "Required field", and pastes arbitrary PHP code into the "Validation PHP code" textarea. After saving, the attacker then visits /profile/?edit on the frontend. Any code placed in the validation field is executed server‑side via eval() when the profile edit form processes the field. The original proof‑of‑concept places a webshell in the ./templates/ directory and creates a .htaccess file to bypass existing rewrite restrictions. [3]
Impact
Successful exploitation results in full remote code execution in the context of the web server. The attacker can execute arbitrary system commands, read/write files, install backdoors, or pivot to other internal resources. The compromise achieves full control over the Subrion CMS instance and potentially the underlying server. [1], [3]
Mitigation
The vendor has not released a patched version for this vulnerability. As of the publication date (2022‑04‑04), Subrion CMS 4.2.1 remains the latest version and is affected. No official fix exists. Workarounds include restricting administrative access to trusted users only, monitoring admin panel changes, and implementing a web application firewall (WAF) to block attempts to inject eval() or dangerous PHP functions. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. [2], [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
intelliants/subrionPackagist | <= 4.2.1 | — |
Affected products
2- Subrion/Subrion CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g54x-29xv-58h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43464ghsaADVISORY
- github.com/intelliants/subrion/issues/888ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.