Packagist (Composer) package
intelliants/subrion
pkg:composer/intelliants/subrion
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-18155 | — | <= 4.2.1 | — | Jul 14, 2021 | SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection. | ||
| CVE-2020-23761 | — | <= 4.2.1 | — | Apr 9, 2021 | Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab. | ||
| CVE-2019-7357 | — | <= 4.2.1 | — | Nov 10, 2020 | Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. | ||
| CVE-2019-20390 | — | — | — | May 15, 2020 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the | ||
| CVE-2019-20389 | — | <= 4.2.1 | — | May 15, 2020 | An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper | ||
| CVE-2020-12467 | — | <= 4.2.1 | — | Apr 29, 2020 | Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. | ||
| CVE-2020-12468 | — | — | — | Apr 29, 2020 | Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/. | ||
| CVE-2020-12469 | — | <= 4.2.1 | — | Apr 29, 2020 | admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. | ||
| CVE-2018-21037 | — | < 4.2.1 | 4.2.1 | Mar 17, 2020 | Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. | ||
| CVE-2018-11317 | — | < 4.1.4 | 4.1.4 | Jul 3, 2019 | Subrion CMS before 4.1.4 has XSS. | ||
| CVE-2017-18366 | — | < 4.2.1 | 4.2.1 | Apr 12, 2019 | Subrion CMS 4.1.5 has CSRF in blog/delete/. | ||
| CVE-2018-16629 | — | <= 4.2.1 | — | Dec 4, 2018 | panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | ||
| CVE-2018-19422 | — | < 4.2.2 | 4.2.2 | Nov 21, 2018 | /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these. | ||
| CVE-2018-15563 | — | <= 4.2.1 | — | Oct 2, 2018 | _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. | ||
| CVE-2018-16327 | — | — | — | Sep 1, 2018 | There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. | ||
| CVE-2018-14840 | — | < 4.2.2 | 4.2.2 | Aug 2, 2018 | uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads). | ||
| CVE-2018-14835 | — | <= 4.2.1 | — | Aug 2, 2018 | Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping added to the tooltip information being displayed in multiple areas. | ||
| CVE-2017-15063 | Hig | 8.8 | >= 4.1, < 4.2.0 | 4.2.0 | Oct 6, 2017 | There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/data | |
| CVE-2017-10795 | Med | 6.1 | < 4.1.6 | 4.1.6 | Jul 2, 2017 | Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069. | |
| CVE-2017-6068 | Hig | 8.8 | <= 4.0.5 | — | Mar 27, 2017 | Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter. |
- CVE-2020-18155Jul 14, 2021affected <= 4.2.1
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
- CVE-2020-23761Apr 9, 2021affected <= 4.2.1
Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab.
- CVE-2019-7357Nov 10, 2020affected <= 4.2.1
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
- CVE-2019-20390May 15, 2020
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the
- CVE-2019-20389May 15, 2020affected <= 4.2.1
An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper
- CVE-2020-12467Apr 29, 2020affected <= 4.2.1
Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.
- CVE-2020-12468Apr 29, 2020
Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/.
- CVE-2020-12469Apr 29, 2020affected <= 4.2.1
admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.
- CVE-2018-21037Mar 17, 2020affected < 4.2.1fixed 4.2.1
Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.
- CVE-2018-11317Jul 3, 2019affected < 4.1.4fixed 4.1.4
Subrion CMS before 4.1.4 has XSS.
- CVE-2017-18366Apr 12, 2019affected < 4.2.1fixed 4.2.1
Subrion CMS 4.1.5 has CSRF in blog/delete/.
- CVE-2018-16629Dec 4, 2018affected <= 4.2.1
panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
- CVE-2018-19422Nov 21, 2018affected < 4.2.2fixed 4.2.2
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
- CVE-2018-15563Oct 2, 2018affected <= 4.2.1
_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter.
- CVE-2018-16327Sep 1, 2018
There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration.
- CVE-2018-14840Aug 2, 2018affected < 4.2.2fixed 4.2.2
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
- CVE-2018-14835Aug 2, 2018affected <= 4.2.1
Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping added to the tooltip information being displayed in multiple areas.
- affected >= 4.1, < 4.2.0fixed 4.2.0
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/data
- affected < 4.1.6fixed 4.1.6
Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069.
- affected <= 4.0.5
Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter.
Page 2 of 3