CVE-2023-43875

MEDIUM

Subrion CMS 4.2.1 - Reflected Cross-Site Scripting via Installation Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43875. PoCs published by sromanhu.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2023-43875, demonstrating reflected XSS vulnerabilities in Subrion CMS v4.2.1 during the installation process. The exploit leverages improper input sanitization in fields like dbhost, dbname, dbuser, adminusername, and adminemail to inject malicious JavaScript payloads.

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of Subrion CMS v.4.2.1 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost, dbname, dbuser, adminusername and adminemail.

Exploits (1)

nomisec WORKING POC
by sromanhu · poc
https://github.com/sromanhu/CVE-2023-43875-Subrion-CMS-Reflected-XSS---Installation

This repository contains a functional proof-of-concept for CVE-2023-43875, demonstrating reflected XSS vulnerabilities in Subrion CMS v4.2.1 during the installation process. The exploit leverages improper input sanitization in fields like dbhost, dbname, dbuser, adminusername, and adminemail to inject malicious JavaScript payloads.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Subrion CMS v4.2.1
No auth needed
Prerequisites: Access to the Subrion CMS installation page
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0260
EPSS Percentile 86.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
intelliants/subrion 0Packagist
intelliants/subrion_cms 4.2.1
Published Oct 19, 2023
Tracked Since Feb 18, 2026