Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting

ID EDB-ID:47469
Type exploitdb
Reporter Exploit-DB
Modified 2019-10-07T00:00:00


                                            # Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage:
# CVE :
# Website :
# Description :  Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.


Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>