CVE-2023-43884

A stored cross-site scripting (XSS) vulnerability exists in Subrion CMS version 4.2.1. The flaw is present in the 'Reference ID' parameter within the Transactions panel of the application's administrative interface. An attacker can inject a crafted payload (e.g., HTML or JavaScript) into this field, which is then stored by the system without proper sanitization [1][3].

To exploit the vulnerability, an attacker must have access to the Transactions panel, typically requiring authenticated access to the Subrion CMS admin backend. Once a transaction is created with a malicious Reference ID, the payload is stored and subsequently rendered when any user (including other administrators) visits the /profile/funds/ page. The attack does not require user interaction beyond navigating to that page, and the injected script executes in the context of the victim's session [3].

Successful exploitation enables an attacker to execute arbitrary web scripts or HTML in the browser of any user viewing the affected page. This can lead to session hijacking, theft of sensitive data, or defacement of the CMS dashboard. The impact is limited to authenticated users who have access to the funds/profile area, but could allow privilege escalation or account takeover if an admin’s session is compromised [1][3].

As of the latest information, no patch has been released for this specific vulnerability in Subrion 4.2.1. The vendor's development branch on GitHub shows continued activity but no fix for this issue [2]. Users are advised to restrict access to the Transactions panel to trusted administrators, apply input validation manually, or upgrade to a patched version if made available.