Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70958

CVE-2025-70958: Subrion CMS XSS Vulnerability

CVE-2025-70958 is a reflected cross-site scripting vulnerability in Subrion CMS v4.2.1 that allows attackers to execute malicious JavaScript in users' browsers. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-70958 Overview

CVE-2025-70958 affects Subrion CMS v4.2.1, an open-source content management system developed by Intelliants. The installation module contains multiple reflected cross-site scripting (XSS) vulnerabilities [CWE-79]. Attackers can inject crafted JavaScript payloads through the dbuser, dbpwd, and dbname parameters. The payloads execute in the victim's browser context after the user follows a malicious link.

Critical Impact

Attackers can execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, and malicious actions performed under the target user's identity.

Affected Products

  • Intelliants Subrion CMS 4.2.1
  • Installation module endpoints accepting dbuser, dbpwd, and dbname parameters
  • Deployments where the installation script remains accessible post-setup

Discovery Timeline

  • 2026-02-02 - CVE-2025-70958 published to NVD
  • 2026-02-11 - Last updated in NVD database

Technical Details for CVE-2025-70958

Vulnerability Analysis

The vulnerability resides in the Subrion CMS v4.2.1 installation workflow. The installer accepts database configuration values through HTTP request parameters and reflects those values back into the rendered HTML response without proper output encoding. An attacker who crafts a URL containing JavaScript in the dbuser, dbpwd, or dbname parameters can trigger script execution when a victim loads the page.

Because this is a reflected XSS issue, exploitation requires user interaction. The attacker delivers the malicious link through phishing, chat platforms, or other social engineering channels. Once the victim opens the link, the injected payload runs with the privileges of the user's browser session against the Subrion CMS domain.

The attack changes scope from the vulnerable component to the user's browser security context, allowing access to cookies, session tokens, and same-origin resources. Successful exploitation enables credential theft, defacement of rendered pages, and forced actions inside an authenticated administrator session if one is active.

Root Cause

The root cause is missing input validation and output sanitization in the installation module. User-supplied values for the dbuser, dbpwd, and dbname parameters are inserted directly into HTML responses without HTML entity encoding or contextual escaping.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker constructs a URL targeting the installation script with JavaScript payloads in the affected parameters. Installations that leave the install module accessible after initial setup remain vulnerable to drive-by exploitation through crafted links. Technical proof-of-concept details are published in the GitHub Subrion CMS Exploit repository.

Detection Methods for CVE-2025-70958

Indicators of Compromise

  • HTTP requests to Subrion CMS installation endpoints containing <script>, onerror=, or javascript: tokens in the dbuser, dbpwd, or dbname parameters
  • Server access logs showing repeated GET or POST requests to the installer after initial site setup
  • Outbound requests from browsers to attacker-controlled domains immediately following clicks on Subrion CMS URLs

Detection Strategies

  • Inspect web server logs for URL-encoded XSS payloads targeting installer parameters
  • Deploy Web Application Firewall (WAF) signatures for reflected XSS patterns on Subrion CMS paths
  • Use static analysis on Subrion CMS deployments to confirm whether installer files remain web-accessible

Monitoring Recommendations

  • Alert on any HTTP traffic reaching the installation module after initial deployment completes
  • Monitor for anomalous JavaScript execution in browser telemetry on pages served by Subrion CMS
  • Correlate phishing email indicators with inbound clicks targeting Subrion CMS hosts

How to Mitigate CVE-2025-70958

Immediate Actions Required

  • Remove or restrict access to the Subrion CMS installation directory on all production deployments
  • Block external HTTP access to installer endpoints at the reverse proxy or WAF layer
  • Audit existing Subrion CMS v4.2.1 installations and confirm setup files are deleted post-installation

Patch Information

No vendor advisory or patch is referenced in the available CVE data. Subrion CMS v4.2.1 is the affected version. Operators should evaluate whether to continue using this codebase given the public exploit details available in the GitHub Subrion CMS Exploit repository.

Workarounds

  • Delete the install/ directory from the web root after initial setup completes
  • Apply WAF rules that strip or block HTML and JavaScript metacharacters in dbuser, dbpwd, and dbname parameters
  • Implement a strict Content Security Policy (CSP) that disallows inline script execution on Subrion CMS domains
  • Educate administrators to avoid clicking unverified links pointing to CMS administrative or installation paths
bash
# Configuration example: remove installer and restrict access via nginx
rm -rf /var/www/subrion/install/

# nginx location block to deny any residual installer access
location ~* ^/install/ {
    deny all;
    return 404;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne