CVE-2025-70958

6.1 MEDIUM

Cross-Site Scripting

📋 TL;DR

Multiple reflected cross-site scripting (XSS) vulnerabilities in Subrion CMS v4.2.1 installation module allow attackers to inject malicious JavaScript via database configuration parameters. This enables session hijacking, credential theft, and website defacement for any administrator installing the CMS. The vulnerability affects fresh installations where attackers can craft malicious installation URLs.

💻 Affected Systems

Products:

• Subrion CMS

Versions: v4.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects fresh installations using the web-based installer. Already installed systems are not vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete administrative account takeover leading to full CMS compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Session hijacking of administrators during installation, leading to unauthorized configuration changes and privilege escalation.

🟢

If Mitigated

Limited impact if installation is performed in isolated environments or by trusted personnel only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires tricking administrator into clicking malicious installation URL. No authentication needed as installation is unauthenticated process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check Subrion CMS website for security updates
2. If patch available, download and apply
3. Re-run installation with updated files
4. Verify installation completes without errors

🔧 Temporary Workarounds

Manual Installation Bypass

all

Install Subrion CMS manually via command line or local file upload to avoid web installer

Copy

# Download Subrion CMS package
# Extract to web directory
# Manually configure database in config.inc.php

Network Isolation

all

Install CMS in isolated network environment without internet access

Copy

# Disable network interfaces during installation
# Use localhost-only installation

🧯 If You Can't Patch

• Perform installation on isolated network without internet connectivity
• Use command-line installation method instead of web installer

🔍 How to Verify

Check if Vulnerable:

Copy

Check if using Subrion CMS v4.2.1 and installation was performed via web interface

Check Version:

Copy

Check includes/version.inc.php or admin panel for version number

Verify Fix Applied:

Copy

Verify installation was completed using patched version or alternative method

📡 Detection & Monitoring

Log Indicators:

• Unusual installation attempts with long parameter values
• Multiple failed installation attempts with suspicious parameters

Network Indicators:

• HTTP requests to install/index.php with script tags in parameters
• Unusual referrer headers during installation

SIEM Query:

Copy

source="web_logs" AND uri="/install/index.php" AND (param="dbuser" OR param="dbpwd" OR param="dbname") AND value MATCHES "<script>"

📊 Metadata

CVE ID: CVE-2025-70958

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://github.com/emirhanyucell/Subrion-CMS-4.2.1/blob/main/subrion-cms-exploit.txt

📤 Share This

Twitter LinkedIn Reddit Copy Link