CVE-2023-53876

Medium CVSS: 5.1

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.

Vendor

Creativeitem

Product

Academy Lms

CWE

CWE-434

Yayın Tarihi

2025-12-15 21:15:50

Güncelleme

2025-12-18 22:35:48

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-434 Academy Lms MEDIUM Creativeitem 2025

Referanslar

https://academylms.net/ https://www.exploit-db.com/exploits/51702 https://www.vulncheck.com/advisories/academy-lms-arbitrary-file-upload-vulnerability-via-profile-settings https://www.exploit-db.com/exploits/51702

Benzer Kayıtlar

Medium

CVE-2025-71179

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to t…

Medium

CVE-2025-56748

Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templat…

Critical

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictabl…

Low

CVE-2025-56746

Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabli…

Medium

CVE-2025-56747

Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Api_instructor co…

Medium

CVE-2025-40990

Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user…