CVE-2022-43121

Vulnerability

Analysis

A stored cross-site scripting (XSS) vulnerability exists in the CMS Field Add page of Intelliants Subrion CMS v4.2.1. The root cause is improper sanitization of the tooltip text field, allowing an attacker to inject arbitrary HTML or JavaScript payloads that are subsequently stored in the database [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have administrative access to the CMS Field Add page; no special network position is required beyond standard web access. The craft is straightforward: a malicious payload is entered into the tooltip text field and saved. The payload then executes automatically when any user visits the Members Add page, as the stored content is rendered without proper escaping [3].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser session. This can lead to session hijacking, credential theft, or defacement of the application interface. Since the XSS is stored, it persists across sessions and affects all users who access the affected page [1].

Mitigation

Status

As of the publication date, Subrion CMS v4.2.1 is affected. The vendor has not released a patch specifically for this CVE; however, users are advised to upgrade to the latest available version of Subrion CMS. No workaround other than restricting access to the CMS Field Add page is mentioned in publicly available advisories [2].