CVE-2023-38964

Introduction

I was searching for an LMS (Learning Management System), which is like a CMS (Content Management System) but specifically designed for managing courses. During my search, I came across "Academy LMS 6.0". I purchased this product and decided to test it for vulnerabilities before uploading my courses and deploying it on my site.

Code Analysis

At application > controllers > Home.php, on line 855, we found the search function, and on lines 858 - 865, it is checked for XSS payloads.

Vulnerable Code

These checks only if $_GET['query'] contains " and script string.

Attack

Intercepting query request with burp:

Request

"TESTT" is reflected in source code:

Reflect on the page

We have two vectors for attack:

1. Weak verification

2. Input reflect on the page

Go test the following payload:

"><svg+onload=alert(1)>

XSS Payload