CVE-2018-14840: Subrion CMS Cross-site Scripting
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.8709%
CWE
Published
5/14/2022
Updated
9/21/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
intelliants/subrion | composer | < 4.2.2 | 4.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a misconfiguration in the 'uploads/.htaccess' file, which failed to block .html file uploads. This allowed attackers to upload malicious HTML files leading to XSS. The core issue lies in server configuration (Apache directives in .htaccess
) rather than specific PHP
functions. While file upload handling functions
might be involved indirectly, the provided data (commit diffs, CVE description) explicitly points to the .htaccess
configuration as the root cause. No specific PHP
functions in the codebase are identified with high confidence from the available information.