Subrion 4.2.1 Cross Site Scripting

Subrion version 4.2.1 suffers from a persistent cross site scripting vulnerability.

MD5 | c95c59032de41c4009cd527fba9a57fb

# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage:
# CVE :
# Website :
# Description : Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.


Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>

Related Posts