Exploit/Advisories

Published on September 15th, 2023 📆 | 6919 Views ⚑

0

Academy LMS 6.2 Cross Site Scripting – Torchsec

# Exploit Title: Academy LMS 6.2 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 29/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://creativeitem.com/
# Software Link: https://demo.creativeitem.com/academy/
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4973
# CWE: CWE-79 - CWE-74 - CWE-707

## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob

## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials

Path: /academy/tutor/filter

GET parameter 'searched_word' is vulnerable to XSS
GET parameter 'searched_tution_class_type[]' is vulnerable to XSS
GET parameter 'searched_price_type[]' is vulnerable to XSS
GET parameter 'searched_duration[]' is vulnerable to XSS

https://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]

XSS Payload:

acoa5">dyzs0

[-] Done

Tagged with: academy • cross • LMS • scripting • Site • torchsec

Leave a Reply Cancel reply

🌟 Your Account

Username/Email Password
Remember Me
Register
🔔 Email Subscriptions

Get new posts by email
- Donate Via Wallets
  MetaMask
  
  Trust Wallet
  
  Binance Wallet
  
  WalletConnect
Feed

SoundThinking, Maker of ShotSpotter, Is Buying Parts of PredPol Creator Geolitica
30 September 2023
SoundThinking, the company behind the gunshot-detection system ShotSpotter, is quietly acquiring staff, patents, and customers 🔎
Gentoo Linux Security Advisory 202309-10 – Torchsec
29 September 2023
– – – – – – – – – – – – – – – 🔎
OpenRefine’s Zip Slip Vulnerability Could Let Attackers Execute Malicious Code
2 October 2023
Oct 02, 2023THNVulnerability / Cyber Attack A high-severity security flaw has been disclosed in the 🔎
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations
30 September 2023
Sep 30, 2023THNCyber Espionage / Malware Sophisticated cyber actors backed by Iran known as OilRig 🔎
Red Hat Security Advisory 2023-5407-01 – Torchsec
3 October 2023
—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA256 =====================================================================Red Hat Security Advisory Synopsis: Moderate: openshift-gitops-kam security updateAdvisory ID: 🔎
Popular
- A New Cybercrime Group Linked to 7 Ransomware Families by Admin September 26, 2023 Cybersecurity experts have shed light on a new cybercrime group… (10)
- Mozilla: Your New Car Is a Data Privacy Nightmare by Admin September 13, 2023 Eighty-four percent of the brands that researchers studied share or… (8)
- GitHub Repositories Hit by Password-Stealing Commits… by Admin September 28, 2023 Sep 28, 2023THNSupply Chain / Malware A new malicious campaign… (7)
- Essential Guide to Cybersecurity Compliance by Admin September 26, 2023 SOC 2, ISO, HIPAA, Cyber Essentials – all the security… (6)
Gloss
- beeg on New Report Uncovers Three Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
- great 126rt on New Report Uncovers Three Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
- More info on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- Hyperbaric Oxygen เชียงใหม่ on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- sga508 on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- inpatient detox near me on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- buy auto instagram followers on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- Source URL on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- Click here on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
- adding a wall to a finished basement on Alumni Club Management Tools 2.2.7 SQL Injection / Arbitrary File Upload – Torchsec
☕️Social Media

Torchsec

Tweets by Torch_sec
👥Members

Newest | Active | Popular
- Louie Hursey
  
  registered 3 days, 11 hours ago
- Michell Real
  
  registered 1 week, 2 days ago
- Maryjo Combes
  
  registered 1 week, 2 days ago
- Janina Midgette
  
  registered 2 weeks, 3 days ago
- Lola Reiter
  
  registered 2 weeks, 3 days ago
🌍 Forum Groups

Newest | Active | Popular | Alphabetical
- General Talk
  
  active 3 days, 11 hours ago
- Help Me !!
  
  active 3 days, 11 hours ago
- Comments & Suggestions
  
  active 3 days, 11 hours ago
- Ebooks – Papers
  
  active 3 days, 11 hours ago
- Embedded Systems, Electronics, Gadgets, and DIY
  
  active 3 days, 11 hours ago
linktr.ee/obewyn

We share and comment on interesting infosec related news, tools and more. Follow us on RSS ,Facebook or Twitter for the latest updates. Torchsec is designed to help Auditors, Pentesters & Security Experts to keep their ethical hacking oriented toolbox up-to-date .
This website is made for educational and ethical testing purposes only。It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this website.

Archives

© Torchsec Privacy Policy Disclaimer T&C

Back to Top ↑