# CVE-2023-38964
## Introduction
I was searching for an LMS (Learning Management System), which is like a CMS (Content Management System) but specifically designed for managing courses. During my search, I came across "**Academy LMS 6.0"**. I purchased this product and decided to test it for vulnerabilities before uploading my courses and deploying it on my site.
## Code Analysis
At **application > controllers > Home.php**, on line 855, we found the search function, and on lines **858 - 865**, it is checked for XSS payloads.
Vulnerable Code
These checks only if **$\_GET\['query']** contains **"** and **script** string.
## Attack
Intercepting **query** request with burp:
Request
"**TESTT**" is reflected in source code:
Reflect on the page
We have two vectors for attack:
1. Weak verification
2. Input reflect on the page
Go test the following payload:
```
">
```
XSS Payload
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://vida03.gitbook.io/redteam/web/cve-2023-38964.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.