Skip to content

al3zx/xss_financial_subrion_4.2.1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

XSS in Subrion 4.2.1 (/panel/configuration/financial/)

Software link: Subrion CMS 4.2.1 [https://subrion.org/download/]

@author: Alejandro Amorín

Description: Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: 'Minimum deposit', 'Maximum deposit' and/or 'Maximum balance'. The vulnerability is triggered when accesing to /profile/funds/ in the main webpage.

POC

Minimum deposit

  1. Enter to Financial section in the webpage and in 'Minimum deposit' set the payload:

xss1

  1. Go to main page to /profile/funds:

xss2

Maximum deposit

  1. Enter to Financial section in the webpage and in 'Maximum deposit' set the payload:

xss3

  1. Go to main page to /profile/funds:

xss4

Maximum balance

  1. Enter to Financial section in the webpage and in 'Maximum balance' set the payload:

xss5

  1. Go to main page to /profile/funds:

xss6

About

XSS in financial page in Subrion 4.2.1

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published