VYPR
← All advisories
Low severity2.4NVD Advisory· Published Jun 15, 2026

CVE-2026-12202

CVE-2026-12202

Description

A stored XSS vulnerability in Subrion CMS up to 4.0.3 allows attackers to inject scripts via the CSS class name field in the Blocks endpoint, with a public PoC available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Subrion CMS up to 4.0.3 allows attackers to inject scripts via the CSS class name field in the Blocks endpoint, with a public PoC available.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Intelliants Subrion CMS versions up to and including 4.0.3. The flaw resides in the Blocks endpoint, where the CSS class name parameter is not properly validated or sanitized. An authenticated user with administrative access can inject arbitrary JavaScript into this field, which is then stored on the server. The vulnerability is triggered when the block is rendered or viewed. [1]

Exploitation

An attacker must first have administrative credentials to access the admin dashboard. The steps involve navigating to the Blocks page, clicking the Add Block button, and inserting a malicious payload (e.g., ">) into the CSS class name field. After filling other required fields and submitting, the payload is stored and executed automatically when the block is loaded. No user interaction beyond the attacker's own actions is required for the injection. [1]

Impact

The attacker gains the ability to execute arbitrary JavaScript in the context of the admin dashboard and any page where the block is displayed. This can lead to session cookie theft, hijacking of administrative sessions, credential theft, or further compromise of the CMS installation. The attack affects the integrity and confidentiality of the application, as the injected script can perform actions on behalf of the administrator and access sensitive data. [1]

Mitigation

As of the publication date, no vendor response or official patch has been released for Subrion CMS up to version 4.0.3. The affected version may be considered EOL or unmaintained. Administrators should restrict access to the admin dashboard to trusted users, review and sanitize any existing CSS class name entries, and consider disabling the Blocks functionality or applying a web application firewall rule to block malicious input patterns. Upgrading to a patched version, if released, is recommended. [1]

References
  1. Stored Cross-Site Scripting (XSS) in endpoint Blocks field CSS class name - HackMD

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
7e6ccc8086cb

Security fix

https://github.com/intelliants/subrionJanur JangaraevJan 27, 2016Fixed in 4.0.4via llm-release-walk
commit
2 files changed · +3 2
  • includes/classes/ia.core.php+1 1 modified
    @@ -180,7 +180,7 @@ protected function _parseUrl()
 	{
 		$iaView = &$this->iaView;
 
-		$domain = $_SERVER['HTTP_HOST'];
+		$domain = preg_replace('#[^a-z_0-9-.]#i', '', $_SERVER['HTTP_HOST']);
 		$requestPath = preg_replace('#^\/#', '', $_SERVER['REQUEST_URI']);
 
 		if (!preg_match('#^www\.#', $domain) && preg_match('#:\/\/www\.#', $this->get('baseurl')))
  • includes/classes/ia.core.view.php+2 1 modified
    @@ -776,7 +776,8 @@ public function definePage()
 				{
 					$pageName = '';
 				}
-				$where = iaDb::printf("p.`name` = ':name' OR p.`alias` LIKE ':domain:name%'", array('name' => $pageName, 'domain' => $this->domainUrl));
+				$where = iaDb::printf("p.`name` = ':name' OR p.`alias` LIKE ':domain:name%'",
+					array('name' => $pageName, 'domain' => iaSanitize::sql($this->domainUrl)));
 			}
 		}
3c03bc7da151

Merge pull request #101 from intelliants/develop

https://github.com/intelliants/subrionVasily BezruchkinFeb 1, 2016Fixed in 4.0.4via release-tag
commit
4 files changed · +18 12
  • admin/configuration.php+10 2 modified
    @@ -66,7 +66,7 @@ protected function _indexPage(&$iaView)
 		}
 
 		$groupName = isset($this->_iaCore->requestPath[0]) ? $this->_iaCore->requestPath[0] : 'general';
-		$groupData = $this->_iaDb->row_bind(iaDb::ALL_COLUMNS_SELECTION, '`name` = :name', array('name' => $groupName), iaCore::getConfigGroupsTable());
+		$groupData = $this->_getGroupByName($groupName);
 
 		if (empty($groupData))
 		{
@@ -186,7 +186,7 @@ private function _setGroup(&$iaView, array $groupData)
 		}
 		else
 		{
-			$title = iaLanguage::get('config_group_' . $groupData['name']);
+			$title = $groupData['title'];
 		}
 
 		$iaView->title($title);
@@ -416,6 +416,14 @@ private function _getUsersSpecificConfig()
 		return ($rows = $this->_iaDb->getKeyValue($sql)) ? $rows : array();
 	}
 
+	protected function _getGroupByName($groupName)
+	{
+		$result = $this->_iaDb->row_bind(iaDb::ALL_COLUMNS_SELECTION, '`name` = :name', array('name' => $groupName), iaCore::getConfigGroupsTable());
+		empty($result) || $result['title'] = iaLanguage::get('config_group_' . $result['name']);
+
+		return $result;
+	}
+
 	protected function _updateParam($key, $value)
 	{
 		if (in_array($key, $this->_customConfigParams))
  • includes/classes/ia.core.language.php+5 6 modified
    @@ -124,13 +124,12 @@ public static function load($languageCode)
 	{
 		$iaCore = iaCore::instance();
 
-		$stmt = "`code` = :language AND `category` != 'tooltip' AND `category` != :exclusion ORDER BY `extras`";
-		$iaCore->iaDb->bind($stmt, array(
-			'language' => $languageCode,
-			'exclusion' => (iaCore::ACCESS_FRONT == $iaCore->getAccessType()) ? 'admin' : 'frontend'
-		));
+		$where = (iaCore::ACCESS_FRONT == $iaCore->getAccessType())
+			? "`code` = '%s' AND `category` NOT IN('tooltip', 'admin') ORDER BY `extras`"
+			: "`code` = '%s' AND `category` NOT IN('tooltip', 'frontend', 'page')";
+		$where = sprintf($where, $languageCode);
 
-		self::$_phrases = $iaCore->iaDb->keyvalue(array('key', 'value'), $stmt, self::getTable());
+		self::$_phrases = $iaCore->iaDb->keyvalue(array('key', 'value'), $where, self::getTable());
 	}
 
 	public static function getPhrases()
  • includes/classes/ia.core.view.php+2 4 modified
    @@ -861,10 +861,8 @@ public function definePage()
 			return self::errorPage(self::ERROR_NOT_FOUND);
 		}
 
-		if (!isset($pageParams['title'])) // frontend page
-		{
-			$pageParams['title'] = iaLanguage::get(sprintf('page_title_%s', $pageParams['name']));
-		}
+		$pageParams['title'] = iaLanguage::get(sprintf('page_title_%s', $pageParams['name']));
+
 		if (!isset($pageParams['body']))
 		{
 			$pageParams['body'] = isset($pageParams['name']) ? $pageParams['name'] : self::DEFAULT_HOMEPAGE;
  • install/dump/install.sql+1 0 modified
    @@ -2229,6 +2229,7 @@ INSERT INTO `{install:prefix}language` (`key`,`value`,`category`) VALUES
 ('page_title_fields','Fields','admin'),
 ('page_title_fieldgroups','Field Groups','admin'),
 ('page_title_hooks','Hooks','admin'),
+('page_title_index','Dashboard','admin'),
 ('page_title_invoices','Invoices','admin'),
 ('page_title_languages','Languages','admin'),
 ('page_title_members','Members','admin'),

Vulnerability mechanics

Root cause

"Missing input validation and sanitization on the CSS class name field in the Blocks endpoint allows stored cross-site scripting."

Attack vector

An attacker with admin panel access (PR:H) navigates to the Blocks endpoint, adds a new block, and injects a malicious script into the `CSS class name` field [ref_id=1]. The payload `"><img src=x onerror=alert('CVE-Hunters2')>` is stored server-side and executed automatically when the block is rendered, triggering a stored XSS [CWE-79]. The attack is launched remotely over the network (AV:N) and requires user interaction (UI:R) to view the affected page.

Affected code

The vulnerability resides in the **Blocks** endpoint of Subrion CMS (up to v4.0.3). The `CSS class name` field is not properly validated or sanitized, allowing stored XSS. The patches [patch_id=6022406] and [patch_id=6022661] modify `admin/configuration.php`, `includes/classes/ia.core.language.php`, and `includes/classes/ia.core.view.php`, but do not directly address the Blocks endpoint's CSS class name input validation.

What the fix does

The patches [patch_id=6022406] and [patch_id=6022661] refactor language loading and page title handling in `admin/configuration.php`, `ia.core.language.php`, and `ia.core.view.php`. They do **not** add sanitization or validation to the `CSS class name` field in the Blocks endpoint. The advisory [ref_id=1] states the vendor did not respond, and no fix for the specific XSS vector is included in these patches.

Preconditions

  • authAttacker must have admin panel access (PR:H) to reach the Blocks endpoint
  • inputVictim must view the page containing the malicious block (UI:R)

Reproduction

1. Access the admin dashboard and click the 'Edit Blocks' button. 2. On the Blocks page, click 'Add Block'. 3. Insert the payload `"><img src=x onerror=alert('CVE-Hunters2')>` into the 'CSS class name' field and fill required fields. 4. Scroll down and click 'Add'. The payload executes automatically upon saving.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.