PT-2017-16877 · Subrion · Subrion Cms
Published
2017-03-27
·
Updated
2019-03-13
·
CVE-2017-6069
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Subrion CMS version 4.0.5
Description
The issue allows an attacker to perform a CSRF attack on the "admin/blog/add/" endpoint, enabling them to add any tag. Additionally, the attacker can optionally insert XSS via the
tags parameter.Recommendations
For Subrion CMS version 4.0.5, consider disabling access to the "admin/blog/add/" endpoint until a fix is available, and restrict the use of the
tags parameter to prevent XSS insertion.Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Subrion Cms