Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting

ID: 102045
CVE: None
Download vulnerable application: None
# Title: 
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage:
# CVE :
# Website :
# Description :  Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.


Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>
1-4-2 (www02)