# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting # Date: 2019-10-07 # Author: Min Ko Ko (Creatigon) # Vendor Homepage: https://subrion.org/ # CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225 # Website : https://l33thacker.com # Description : Allows XSS via the panel/members/ Username, Full Name, or # Email field, aka an "Admin Member JSON Update" issue. First login the panel with user credential, Go to member tag from left menu. http://localhost/panel/members/ Username, Full Name, Email are editable with double click on it. Insert the following payload