CVE-2023-43875

Vulnerability

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in the installation wizard of Subrion CMS version 4.2.1. The root cause is insufficient sanitization of user-supplied input in the dbhost, dbname, dbuser, adminusername, and adminemail fields during the setup process [1][3]. This allows an attacker to inject arbitrary web scripts or HTML.

Exploitation

An attacker with local access to the installation page can craft a payload (e.g., '><svg/onload=alert('XSS')>) and submit it in any of the five vulnerable fields. Upon clicking the "Next" button, the injected script executes in the context of the installation page [3]. No authentication is required as the vulnerability occurs before the CMS is fully installed.

Impact

Successful exploitation enables arbitrary JavaScript execution, which could be used to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim within the installation interface. Although the attacker is described as "local," the installation page is typically accessed via a web browser, so any user who can reach the setup URL can trigger the XSS [1].

Mitigation

As of the publication date (2023-10-19), no official patch has been released for Subrion CMS 4.2.1 [2]. Users should restrict access to the installation wizard to trusted administrators only and consider removing or protecting the installation directory after setup. Upgrading to a newer version, if available, may also address the issue.