CVE-2023-53876
MEDIUMAcademy LMS 6.1 - Authenticated Stored Cross-Site Scripting via Profile Avatar Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2023-53876. PoCs published by CraCkEr.
AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Academy LMS 6.1, allowing attackers to upload malicious SVG files containing stored XSS payloads. The PoC shows how to bypass file extension checks by intercepting and modifying a POST request to upload an SVG file with embedded JavaScript.
Description
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
Exploits (1)
This exploit demonstrates an arbitrary file upload vulnerability in Academy LMS 6.1, allowing attackers to upload malicious SVG files containing stored XSS payloads. The PoC shows how to bypass file extension checks by intercepting and modifying a POST request to upload an SVG file with embedded JavaScript.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N