CVE-2023-43830

Vulnerability

Overview Subrion CMS version 4.2.1 contains a stored cross-site scripting (XSS) vulnerability in the financial configuration panel at /panel/configuration/financial/. The fields 'Minimum deposit', 'Maximum deposit', and 'Maximum balance' lack proper input sanitization, allowing an attacker to inject arbitrary web scripts or HTML [1][3].

Exploitation

An attacker with administrative access can inject a crafted payload into one of the vulnerable fields. When a user, including other administrators, visits the /profile/funds/ page, the stored payload executes in the context of the victim's browser [3]. No additional authentication is required for the victim beyond being logged into the CMS.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the browser of any user viewing the funds page. This can lead to session hijacking, defacement, or exfiltration of sensitive data. The attack does not require direct interaction with the victim beyond the normal use of the application.

Mitigation

As of the CVE publication date (2023-09-27), no official patch has been released. Users are advised to restrict access to the financial configuration panel, manually sanitize the affected fields, or upgrade to a newer version if available [1][3].