Miggo Logo

CVE-2019-20389: Subrion CMS XSS

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.53937%
Published
5/24/2022
Updated
9/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
intelliants/subrioncomposer<= 4.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability reports describe an XSS issue in Subrion CMS 4.2.1 involving improper output encoding of the v[language_switch] parameter. However, no specific code snippets, patch diffs, or file paths were disclosed in the advisory details. Without access to the actual implementation code (e.g., the PHP controller handling the /panel/configuration/general endpoint or the associated template rendering logic), we cannot definitively identify the vulnerable functions (e.g., specific echo statements, template rendering methods, or input sanitization routines). The vulnerability likely stems from missing output encoding in the view layer when rendering the v[language_switch] value, but the absence of concrete code examples or commit history prevents high-confidence identification of exact functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XSS issu* w*s i**nti*i** on t** Su*rion *MS *.*.* /p*n*l/*on*i*ur*tion/**n*r*l s*ttin*s p***. * r*mot* *tt**k*r **n inj**t *r*itr*ry J*v*S*ript *o** in t** `v[l*n*u***_swit**]` p*r*m*t*r (wit*in multip*rt/*orm-**t*), w*i** is r**l**t** ***k wit*in

Reasoning

T** provi*** vuln*r**ility r*ports **s*ri** *n XSS issu* in Su*rion *MS *.*.* involvin* improp*r output *n*o*in* o* t** `v[l*n*u***_swit**]` p*r*m*t*r. *ow*v*r, no sp**i*i* *o** snipp*ts, p*t** *i**s, or *il* p*t*s w*r* *is*los** in t** **visory **t*