CVE-2020-22392: 
PHP vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file. The vulnerability was assigned CVE-2020-22392 and was disclosed in March 2020 (GitHub Issue). The vulnerability affects Subrion CMS version 4.2.2 and received a CVSS v3.1 base score of 5.4 (Medium) (NVD).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The issue occurs specifically when adding a blog post and uploading an image, then editing the blog. The image file name can be manipulated to include malicious JavaScript code that executes when the blog is viewed (GitHub Issue). The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required privileges, and user interaction (NVD).

The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of other users' browsers who view the affected blog post. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session (NVD).

The suggested fix is to implement proper HTML sanitization by calling safeHTML function on the image['file'] parameter (GitHub Issue).