Intelliants : Security Vulnerabilities, CVEs, CVSS score >= 7
Subrion 4.2.1 has a remote command execution vulnerability in the backend.
Max CVSS
8.8
EPSS Score
0.08%
Published
2023-11-03
Updated
2023-11-13
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().
Max CVSS
8.8
EPSS Score
0.11%
Published
2022-04-04
Updated
2022-04-12
A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
Max CVSS
7.2
EPSS Score
0.11%
Published
2021-10-08
Updated
2021-11-30
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.
Max CVSS
8.8
EPSS Score
0.15%
Published
2022-03-04
Updated
2022-03-11
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
Max CVSS
9.8
EPSS Score
0.20%
Published
2021-07-14
Updated
2021-07-29
Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/.
Max CVSS
7.8
EPSS Score
0.11%
Published
2020-04-29
Updated
2020-05-01
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.
Max CVSS
8.1
EPSS Score
0.12%
Published
2020-05-15
Updated
2020-05-18
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
Max CVSS
8.8
EPSS Score
0.15%
Published
2020-11-10
Updated
2020-11-25
Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.
Max CVSS
8.8
EPSS Score
0.11%
Published
2020-03-17
Updated
2020-03-20
CVE-2018-19422
Public exploit
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Max CVSS
7.2
EPSS Score
83.51%
Published
2018-11-21
Updated
2023-08-04
Subrion CMS 4.1.5 has CSRF in blog/delete/.
Max CVSS
8.8
EPSS Score
0.11%
Published
2019-04-15
Updated
2019-04-15
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.
Max CVSS
8.8
EPSS Score
0.05%
Published
2017-10-06
Updated
2018-11-08
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.
Max CVSS
9.8
EPSS Score
0.21%
Published
2017-07-19
Updated
2017-07-20
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
Max CVSS
9.8
EPSS Score
1.80%
Published
2017-07-19
Updated
2017-07-20
Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter.
Max CVSS
8.8
EPSS Score
0.11%
Published
2017-03-27
Updated
2019-03-13
Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter.
Max CVSS
8.8
EPSS Score
0.11%
Published
2017-03-27
Updated
2019-03-13
Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter.
Max CVSS
8.8
EPSS Score
0.11%
Published
2017-03-27
Updated
2019-03-13
Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the query parameter.
Max CVSS
9.8
EPSS Score
0.20%
Published
2017-03-27
Updated
2019-03-12
Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add any blog entry, and can optionally insert XSS into that entry via the body parameter.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-03-27
Updated
2017-03-28
includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.
Max CVSS
9.8
EPSS Score
0.31%
Published
2017-01-20
Updated
2018-11-08
SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter.
Max CVSS
7.5
EPSS Score
0.73%
Published
2012-10-22
Updated
2017-08-29
SQL injection vulnerability in admin/index.php in Subrion CMS 2.0.4 allows remote attackers to execute arbitrary SQL commands via the (1) user name or (2) password field.
Max CVSS
7.5
EPSS Score
0.40%
Published
2012-10-22
Updated
2013-02-14
22 vulnerabilities found