Advisories for Composer/Intelliants/Subrion package

2024
2023
2022

Cross-Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.

2021
2020

Cross-site Scripting

An XSS issue was identified on the Subrion CMS /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.

Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.

2019
2018
2017

Code Injection

A vulnerability in includes/classes/ia allows remote attackers to conduct PHP Object Injection attacks via crafted deserialized data in a salt cookie in a login request.