CVE-2022-43120

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in Intelliants Subrion CMS v4.2.1. The flaw resides in the /panel/fields/add component, where a crafted payload injected into the Field default value text field is not properly sanitized [1][3]. This allows an attacker to execute arbitrary web scripts or HTML in the context of the admin panel.

Exploitation

Details

To exploit this vulnerability, an attacker must have access to the administrative panel and be able to navigate to the 'Add Field' page at /panel/fields/add. No special privileges beyond standard admin access are required [3]. The attacker simply inserts an XSS payload into the 'default value' field, which is then stored and executed when the page is loaded or when a user interacts with the crafted field.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript or HTML in the admin panel. This can lead to session hijacking, credential theft, or other malicious actions within the context of the affected admin session. The stored nature of the payload means it will affect any user who views the page containing the malicious field.

Mitigation

Status

As of the publication date (2022-11-09), no patch has been released. Users should upgrade to a newer version of Subrion CMS if available, or restrict access to the admin panel and validate input manually. The issue was reported on the project's GitHub issue tracker [3]. The vendor may address this in future releases [2].