CVE-2023-4382

LOW

tdevs hyip_rio 2.1 - Cross-Site Scripting via Profile Settings Avatar Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-4382. PoCs published by CraCkEr.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Hyip Rio 2.1, allowing attackers to upload malicious SVG files containing stored XSS payloads. The PoC shows how to bypass file extension checks by uploading an SVG file with embedded JavaScript.

Description

A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1. Affected by this issue is some unknown functionality of the file /user/settings of the component Profile Settings. The manipulation of the argument avatar leads to cross site scripting. The attack may be launched remotely. VDB-237314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

exploitdb WORKING POC

by CraCkEr · textwebappsphp

https://www.exploit-db.com/exploits/51698

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in Hyip Rio 2.1, allowing attackers to upload malicious SVG files containing stored XSS payloads. The PoC shows how to bypass file extension checks by uploading an SVG file with embedded JavaScript.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Hyip Rio 2.1

Auth required

Prerequisites: Valid user credentials · Access to the user dashboard · Burp Suite or similar proxy tool

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.237314

Permissions Required signature permissions-required

https://vuldb.com/?ctiid.237314

Exploit, Third Party Advisory, VDB Entry related

http://packetstormsecurity.com/files/174212/Hyip-Rio-2.1-Cross-Site-Scripting-File-Upload.html

Scores

CVSS v3 3.5

EPSS 0.0051

EPSS Percentile 66.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

tdevs/hyip_rio 2.1

Published Aug 16, 2023

Tracked Since Feb 18, 2026