CVE-2012-5452

Name of the Vulnerable Software and Affected Versions Subrion CMS version 2.2.1 Subrion CMS version 2.2.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including multi title in "/blocks/add/", cost, days, or title[en] in "/plans/add/", name or title[en] in "/fields/group/add/" within "admin/manage/", and f[accounts][fullname] or f[accounts][username] in "/advsearch/".

Recommendations For Subrion CMS version 2.2.1, avoid using the multi title parameter in the "/blocks/add/" endpoint, the cost, days, or title[en] parameters in the "/plans/add/" endpoint, the name or title[en] parameters in the "/fields/group/add/" endpoint within "admin/manage/", and the f[accounts][fullname] or f[accounts][username] parameters in the "/advsearch/" endpoint until a patch is available. For Subrion CMS version 2.2.2, restrict the use of the f[accounts][fullname] and f[accounts][username] parameters in the "/advsearch/" endpoint as a temporary mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.