CVE-2020-12468

Description

Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/.

How to fix CVE-2020-12468

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Packagist/intelliants/subrion—no fix listed

Is CVE-2020-12468 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-12468
• PATCHgithub.com/intelliants/subrion
• WEBbelong2yourself.github.io/vulnerabilities/docs/Subrion%20CMS/CSV%20Injection/readme
• WEBgithub.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/CSV%20Injection