Lucene search

GitHub Advisory DatabaseGHSA-Q4H5-G3W8-F9X7

HistoryMay 14, 2022 - 1:22 a.m.

Subrion CMS vulnerable to CSRF in admin/blocks/add

2022-05-1401:22:02

CWE-352

GitHub Advisory Database

github.com

subrion cms

4.0.5

csrf

vulnerability

admin

blocks

add

attacker

create

xss

content

parameter

software

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.5%

JSON

Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter.

Affected configurations

Vulners

Node

intelliantssubrionRange≤4.0.5

VendorProductVersionCPE
intelliantssubrion*cpe:2.3:a:intelliants:subrion:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
intelliants	subrion	*	cpe:2.3:a:intelliants:subrion::::::::

References

github.com/advisories/GHSA-q4h5-g3w8-f9x7

nvd.nist.gov/vuln/detail/CVE-2017-6068

web.archive.org/web/20210126223835/www.securityfocus.com/bid/97091

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.5%

JSON

Related for GHSA-Q4H5-G3W8-F9X7