cbcvebase.
CVE-2018-19422
published 2018-11-21

CVE-2018-19422: /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
64.26%
99.1th percentile
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

Affected

2 ranges
VendorProductVersion rangeFixed in
intelliantssubrion>= 0 < 4.2.24.2.2
intelliantssubrion_cms

Detection & IOCsextracted from sources · hover to see the quote

path/panel/uploads
url/panel/uploads/read.json
filename*.phar
filename*.pht
filename*.xhtml
url/uploads/<shell_name>.phar?cmd=id
command?cmd=id
  • Detect POST requests to /panel/uploads/read.json uploading files with .phar, .pht, or .xhtml extensions — these bypass the .htaccess blacklist and are the exploit delivery mechanism.
  • Alert on GET requests to /uploads/*.phar, /uploads/*.pht, or /uploads/*.xhtml containing a ?cmd= query parameter, indicating webshell command execution post-upload.
  • Flag multipart file uploads to /panel/uploads/read.json where the uploaded filename has a .phar, .pht, or .xhtml extension — the exploit uses a randomized base name with these extensions.
  • ·The exploit requires prior authentication; unauthenticated exploitation is not possible. Detection should account for a valid authenticated session preceding the malicious upload.
  • ·The uploaded .phar webshell uses a randomized filename, so static filename-based detection will not be reliable; pattern-based detection on the extension and upload path is required.
  • ·The webshell deletes itself after use, limiting forensic artifact recovery from disk; network-based detection of the ?cmd= execution pattern is more reliable.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.