Subrion CMS, Cross-Site Scripting Vulnerability, Moderate Severity

Listen to this Post

The multiple reflected Cross-site Scripting (XSS) vulnerabilities in Subrion CMS v4.2.1 occur in the installation module. Attackers can inject malicious JavaScript code into the dbuser, dbpwd, and dbname parameters during the installation process. When these parameters are submitted to the server, the CMS reflects them back in the response without proper sanitization or encoding. This allows the injected scripts to be executed in the context of the user’s browser when they view the page. The vulnerability is exploitable through crafted URLs that include the malicious payloads. For example, an attacker could create a link with a payload in the dbname parameter and trick a user into clicking it during installation. Since the installation module is accessible before the CMS is fully set up, this can be a critical point of attack. The reflected XSS does not persist on the server, but it can lead to session hijacking if the user is an administrator. The attack requires user interaction, as the victim must visit the malicious URL. The root cause is the lack of input validation and output encoding in the installation scripts. Subrion CMS fails to escape user inputs before displaying them in HTML pages. This vulnerability is rated moderate because it requires user interaction and is limited to the installation phase. However, if exploited, it could allow attackers to steal credentials or perform unauthorized actions. To exploit, an attacker might use payloads like in the parameters. The server echoes this payload, and when rendered, the script executes. This can be demonstrated using tools like curl or browser developers’ tools. Proper mitigation involves validating and sanitizing all user inputs, implementing Content Security Policy (CSP), and encoding outputs. Developers should use HTML entity encoding for user-controlled data displayed in web pages. Users should ensure they install CMS from trusted sources and complete installation in a secure environment.
Platform: Subrion CMS
Version: v4.2.1
Vulnerability : Cross-site scripting
Severity: Moderate
date: Feb 3 2026

Prediction: Mar 2026

What Undercode Say:

Analytics:

curl -X GET “http://localhost/install/?dbuser=
curl -X POST “http://target/install/” -d “dbpwd=
Payload:

How Exploit:

Craft malicious URL with payload in dbuser, dbpwd, or dbname parameters. Trick user into clicking during installation. Script executes in victim’s browser, stealing cookies or sessions.

Protection from this CVE

Sanitize user inputs. Implement output encoding. Use Content Security Policy. Update to patched version.

Impact:

Session hijacking possible. Credential theft risk. Unauthorized actions potential. Moderate severity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top