Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-43724: this is Cross Site Scripting (XSS) · Issue #890 · intelliants/subrion

A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS through 4.2.1 in the Create Page functionality of the admin Account via a SGV file.

CVE
Open in Source
#xss#vulnerability#git

I have found Cross Site Scripting (XSS) bug in subrion CMS version 4.2.1 in the Create Page functionality of the admin Account.

Steps to Reproduce:

just login as admin and clink this url https://demos.subrion.org/?demo=core&admin=1
As an admin Create test page
In the Add a Page section go to the Page Content then clink “image” choose local file 123.svg to upload in url :https://demos.subrion.org/_core/admin/elfinder/?mode=image&CKEditor=contents%5Ben%5D&CKEditorFuncNum=1&langCode=en#elf_l1_Lw

the content of 123.svg:

<svg
onload="alert('xss attach')"
 xmlns="http://www.w3.org/2000/svg">
</svg>

image

copy the url of 123.svg then and a link to page content:
image

save the new page and open new page:http://localhost/123.html

image

Xss prompt box will pop up
image

Impact: Session cookies can be stolen , user can be redirected to phishing pages , browser of the user visiting this page can be controlled etc.

POC’s have been uploaded.
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE