This issue is rated as critical due to the possibility of remote code execution and the fact that it can be exploited via a maliciously crafted URL. Intelliants recommends upgrading to the latest version of Subrion CMS.
In addition to the XSS flaw, this version of Subrion CMS was also found to be vulnerable to an SQL injection vulnerability. An attacker can inject arbitrary SQL commands into the application’s database to produce unexpected results.
Another critical vulnerability was discovered in this version of Subrion CMS that allows remote attackers to execute arbitrary code via a crafted request that is not properly sanitized through the use of absolute paths. This makes it easier for hackers to exploit the application with a XXE attack or a clickjacking attack.
In addition to these critical XSS and SQL injection vulnerabilities, there are a number of other issues that could be leveraged by hackers to deliver malicious code to targeted Intelliants Subrion CMS users. These issues include:
In addition to these issues, Intelliants recommends installing the latest version of Subrion CMS to fix a number of other bugs. This update fixes several critical vulnerabilities, including:
If you use this version of Subrion CMS, be sure to apply the latest vendor patch as soon as possible.
Vulnerable Subrion CMS version and patch status 2.0.9
Security update available
Installation and Upgrade Tips
First, if you haven't installed this version of Subrion CMS yet, you must upgrade your installation to the latest version.
If you have not applied the last vendor patch for this version of Subrion CMS, you must install it before applying any other vendor patches.
Next, restart your server and run the installer again. This will ensure that all of the new features are properly installed and enabled on your site.
Finally, be sure to change your password after installing this update or any other vendor updates.
Critical SQL Injection Vulnerability
A critical SQL injection vulnerability was discovered in this version of Subrion CMS. This flaw allows an attacker to inject arbitrary SQL commands into the application’s database to produce unexpected results.
Another critical vulnerability was discovered in this version of Subrion CMS that allows remote attackers to execute arbitrary code via a crafted request that is not properly sanitized through the use of absolute paths. This makes it easier for hackers to exploit the application with a XXE attack or a clickjacking attack.
Timeline
Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 20:13:00 UTC