CVE-2024-25399

Vulnerability

Details

CVE-2024-25399 describes a Cross-Site Scripting (XSS) vulnerability in Subrion CMS version 4.2.1, specifically within the adminer.php file. The root cause is improper neutralization of user-controllable input before it is placed in output used as a web page [1]. This flaw allows an attacker to inject arbitrary JavaScript or HTML into the page.

Exploitation

To exploit this vulnerability, an attacker must have access to the administrative interface of the Subrion CMS instance, which requires authentication. The attacker can inject malicious scripts via a crafted input processed by adminer.php. The exact input vector and required privileges are not detailed in available references, but the nature of the file suggests it may involve database management actions [2].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the admin's browser session. This can lead to session hijacking, defacement, or theft of sensitive data. Because the vulnerability is in the admin panel, the impact is limited to authenticated users but could be leveraged to escalate privileges or compromise the CMS.

Mitigation

As of the publication date (2024-02-27), no official patch or advisory from the vendor (Intelliants) has been released. Subrion CMS 4.2.1 is the latest version from the 4.x branch, and the project's open-source repository is available on GitHub [3]. Users are advised to upgrade to the latest version when available, restrict access to adminer.php, or apply input validation as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of now.