cbcvebase.
CVE-2023-39115
published 2023-08-16

CVE-2023-39115: install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.62%
90.5th percentile
install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

Affected

1 ranges
VendorProductVersion rangeFixed in
campcodescomplete_online_matrimonial_website_system_script

Detection & IOCsextracted from sources · hover to see the quote

url/install/aiz-uploader/upload
path/install/aiz-uploader/upload
filenamefile (1).svg
otherContent-Type: image/svg+xml
  • Monitor POST requests to the path /install/aiz-uploader/upload with Content-Type of image/svg+xml, which indicates an SVG file upload attempt exploiting this vulnerability.
  • Detect multipart/form-data uploads where the submitted MIME type is image/svg+xml to the aiz-uploader endpoint, as the application does not sanitize SVG content for embedded scripts.
  • Alert on SVG file uploads containing embedded <script> tags or JavaScript event handlers (e.g., window.location.href redirects) in the request body to the upload endpoint.
  • The exploit is triggered by navigating to /profile-settings, then Gallery -> Add New Image; monitor access to uploaded SVG files under the gallery path for script execution.
  • The X-CSRF-TOKEN and XSRF-TOKEN headers are present in the exploit request; correlate these with anomalous SVG uploads to identify attacker sessions.
  • ·The upload endpoint /install/aiz-uploader/upload accepts SVG files with MIME type image/svg+xml without sanitizing embedded JavaScript, allowing stored XSS/code execution. The application should block SVG uploads or strip script content server-side.
  • ·The exploit was tested on both Windows and Kali Linux environments, indicating the vulnerability is OS-agnostic and depends solely on the web application's lack of SVG sanitization.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.