CVE-2023-39115
published 2023-08-16CVE-2023-39115: install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.62%
90.5th percentile
install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| campcodes | complete_online_matrimonial_website_system_script | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the path /install/aiz-uploader/upload with Content-Type of image/svg+xml, which indicates an SVG file upload attempt exploiting this vulnerability. ↗
- →Detect multipart/form-data uploads where the submitted MIME type is image/svg+xml to the aiz-uploader endpoint, as the application does not sanitize SVG content for embedded scripts. ↗
- →Alert on SVG file uploads containing embedded <script> tags or JavaScript event handlers (e.g., window.location.href redirects) in the request body to the upload endpoint. ↗
- →The exploit is triggered by navigating to /profile-settings, then Gallery -> Add New Image; monitor access to uploaded SVG files under the gallery path for script execution. ↗
- →The X-CSRF-TOKEN and XSRF-TOKEN headers are present in the exploit request; correlate these with anomalous SVG uploads to identify attacker sessions. ↗
- ·The upload endpoint /install/aiz-uploader/upload accepts SVG files with MIME type image/svg+xml without sanitizing embedded JavaScript, allowing stored XSS/code execution. The application should block SVG uploads or strip script content server-side. ↗
- ·The exploit was tested on both Windows and Kali Linux environments, indicating the vulnerability is OS-agnostic and depends solely on the web application's lack of SVG sanitization. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173950/Campcodes-Online-Matrimonial-Website-System-3.3-Cross-Site-Scripting.htmlhttps://github.com/Raj789-sec/CVE-2023-39115https://www.campcodes.com/projects/php/online-matrimonial-website-system-script-in-php/https://www.exploit-db.com/exploits/51656http://packetstormsecurity.com/files/173950/Campcodes-Online-Matrimonial-Website-System-3.3-Cross-Site-Scripting.htmlhttps://github.com/Raj789-sec/CVE-2023-39115https://www.campcodes.com/projects/php/online-matrimonial-website-system-script-in-php/https://www.exploit-db.com/exploits/51656
2023-08-16
Published