CVE-2012-5452

Subrion CMS 2.2.1 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) multi_title parameter to blocks/add/; (2) cost, (3) days, or (4) title[en] parameter to plans/add/; (5) name or (6) title[en] parameter to fields/group/add/ in admin/manage/; or (7) f[accounts][fullname] or (8) f[accounts][username] parameter to advsearch/. NOTE: This might overlap CVE-2011-5211. NOTE: it was later reported that the f[accounts][fullname] and f[accounts][username] vectors might also affect 2.2.2.

Exploits (1)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/22159

View Code ZIP pw:eip

References (9)

[Exploit] http://packetstormsecurity.org/files/116434/Subrion-CMS-2.2.1-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] http://packetstormsecurity.org/files/117460/Subrion-CMS-2.2.1-XSS-CSRF-SQL-Injection.html

[Vendor Advisory] http://secunia.com/advisories/44917

[Vendor Advisory] http://www.subrion.com/forums/announcements/893-subrion-open-source-cms-2-2-2-has-been-released.html

[Exploit] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5105.php

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/78467

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/78468

[Exploit] https://www.htbridge.com/advisory/HTB23113

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/55502

Scores

EPSS 0.1865

EPSS Percentile 95.2%

Details

CWE

CWE-79

Status published

Products (2)

intelliants/subrion_cms

n/a/n/a

Published Oct 22, 2012

Tracked Since Feb 18, 2026