Writeup Exploits
62,967 exploits tracked across all sources.
Subrion CMS <= 4.2.1 - Authenticated Stored Cross-Site Scripting via Create Page Functionality
A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS through 4.2.1 in the Create Page functionality of the admin Account via a SGV file.
CVSS 4.8
Subrion CMS 4.2.1 - Remote Code Execution via Background Field Eval Injection
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().
CVSS 8.8
Subrion <= 4.2.1 - Cross-Site Scripting via Contact Us Plugin List of Subjects
A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".
CVSS 5.4
Subrion CMS 4.2.1 - SQL Injection in Visual Mode
A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
CVSS 7.2
Subrion CMS 4.2.1 - Stored Cross-Site Scripting via Uploaded Image Name
An issue was discovered in Subrion CMS v4.2.1 There is a stored cross-site scripting (XSS) vulnerability that can execute malicious JavaScript code by modifying the name of the uploaded image, closing the html tag, or adding the onerror attribute.
CVSS 5.4
Subrion CMS 4.2.1 - Cross-Site Scripting via Avatar Path Parameter
Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.
CVSS 6.1
Subrion CMS 4.2.2 - Stored Cross-Site Scripting via Blog Image Edit
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file.
CVSS 5.4
Subrion 4.2.1 - Cross-Site Scripting via Page Title
Cross-Site Scripting (XSS) vulnerability in Subrion 4.2.1 via the title when adding a page.
CVSS 6.1
Subrion CMS 4.2.1 - SQL Injection via Search Page
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
CVSS 9.8
Subrion CMS 4.2.1 - Cross-Site Request Forgery in Plugin Activation
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
CVSS 8.8
Subrion CMS 4.2.1 - Cross-Site Scripting via Panel Phrases VALUE Parameter
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
CVSS 5.4
Subrion 4.2.1 - Cross-Site Scripting via Admin Member JSON Update
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
CVSS 5.4
Subrion CMS 4.2.1 - Stored Cross-Site Scripting via Name, Email, or Phone Parameter
Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter.
CVSS 6.1
Subrion < 4.1.5 and 4.2.x < 4.2.1 - Cross-Site Request Forgery via Administrator Password Change
Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.
CVSS 8.8
Subrion CMS < 4.2.2 - Remote Code Execution via .pht or .phar File Upload
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
CVSS 7.2
Subrion 4.2.1 - Stored Cross-Site Scripting in Admin Panel URL Configuration
There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration.
CVSS 4.8
Subrion < 4.2.2 - Cross-Site Scripting via .html File Upload
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
CVSS 6.1
Subrion < 4.2.2 - Cross-Site Scripting via .html File Upload
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
CVSS 6.1
Subrion 4.2.1 - Privilege Escalation
Subrion 4.2.1 is vulnerable to Improper Access control because user groups not having access to the Admin panel are able to access it (but not perform actions) if the Guests user group has access to the Admin panel.
CVSS 6.5
Subrion CMS 4.2.1 - Stored Cross-Site Scripting in Tooltip Renderer
Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping added to the tooltip information being displayed in multiple areas.
CVSS 5.4
Subrion CMS 4.2.1 - Stored Cross-Site Scripting in Tooltip Renderer
Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping added to the tooltip information being displayed in multiple areas.
CVSS 5.4
Subrion < 4.1.4 - Cross-Site Scripting
Subrion CMS before 4.1.4 has XSS.
CVSS 6.1
Subrion 4.0.5 - PHP Object Injection via Salt Cookie
includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.
CVSS 9.8
Subrion CMS 4.1.5 - Cross-Site Request Forgery in Blog Delete Endpoint
Subrion CMS 4.1.5 has CSRF in blog/delete/.
CVSS 8.8
Subrion 4.1-4.1.5 and < 4.2.0 - Cross-Site Request Forgery via Panel Database Query Parameter
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.
CVSS 8.8
By Source