-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored XSS triggered via the 'body' parameter in the blog/add/ endpoint. CWE-79 explicitly points to improper output neutralization during web page generation. This strongly suggests the issue lies in how the blog post content is rendered, not just input handling. Subrion CMS likely stores raw user input and escapes it during rendering. The absence of escaping in the blog post template (e.g., using {$body} instead of {$body|escape} in Smarty) would directly cause the XSS. The inferred file path aligns with Subrion's structure, where blog templates reside in modules/blog/views.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| intelliants/subrion | composer | <= 4.1.5 | 4.1.6 |