Jump to content

Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting


This CHT

Recommended Posts

# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description :  Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.


Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>
Link to post
Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...