CVE-2019-20389

An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.

CVE-2018-14840

uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).

CVE-2018-11317

Subrion CMS before 4.1.4 has XSS.

CVE-2018-15563

_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter.

CVE-2020-23761

Cross Site Scripting (XSS) vulnerability in subrion CMS Version

CVE-2017-10795

Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069.

CVE-2020-12467

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.

CVE-2020-22330

Cross-Site Scripting (XSS) vulnerability in Subrion 4.2.1 via the title when adding a page.

CVE-2020-12469

admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.