CVE-2018-14840
published 2018-08-02CVE-2018-14840: uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
PriorityP337medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.67%
88.3th percentile
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intelliants | subrion | — | — |
| intelliants | subrion | >= 0 < 4.2.2 | 4.2.2 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Subrion CMS Cross-site Scripting
osv·2022-05-14
CVE-2018-14840 [MEDIUM] Subrion CMS Cross-site Scripting
Subrion CMS Cross-site Scripting
`uploads/.htaccess` in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
GHSA
Subrion CMS Cross-site Scripting
ghsa·2022-05-14
CVE-2018-14840 [MEDIUM] CWE-79 Subrion CMS Cross-site Scripting
Subrion CMS Cross-site Scripting
`uploads/.htaccess` in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
No detection rules found.
No writeups or analysis indexed.
https://github.com/intelliants/subrion/commit/cb10ac2294cb2c3a6d2159f9a2bb8c58a2a10a47https://github.com/intelliants/subrion/issues/773https://www.exploit-db.com/exploits/45150/https://github.com/intelliants/subrion/commit/cb10ac2294cb2c3a6d2159f9a2bb8c58a2a10a47https://github.com/intelliants/subrion/issues/773https://www.exploit-db.com/exploits/45150/
2018-08-02
Published