Description: Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of Subrion CMS v.4.2.1 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost, dbname, dbuser, adminusername and adminemail.
Attack Vectors: A vulnerability in the installation sanitation in the dbhost, dbname, dbuser, adminusername and adminemail allows JavaScript code to be injected.
During the installation process we enter the XSS payload in any of the 5 fields and when we click on next, we will obtain the XSS pop-up
'"><svg/onload=alert('dbhost')>'"><svg/onload=alert('dbname')>'"><svg/onload=alert('dbuser')>'"><svg/onload=alert('adminusername')>'"><svg/onload=alert('adminemail')>
In the following image you can see the embedded code that executes the payload in the instalaltion process.
