CVE-2023-53876
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: VulnCheck

Description
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53876
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creativeitem academy_lms 6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53876 is a file upload vulnerability in Academy LMS version 6.1 that allows authenticated users to upload malicious SVG files containing stored cross-site scripting (XSS) payloads. Attackers exploit this by modifying file extensions and embedding executable JavaScript code within the SVG files via the profile avatar upload feature. This enables the injection and execution of malicious scripts in the context of the affected application. [1, 2]

Impact Analysis

This vulnerability can lead to the execution of malicious scripts within the Academy LMS application, potentially compromising user sessions or allowing attackers to perform unauthorized actions on behalf of users. Since the malicious SVG files contain stored XSS payloads, attackers can inject scripts that execute when other users view the affected content, leading to data theft, session hijacking, or other malicious activities. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring file uploads to the profile avatar feature for SVG files containing embedded JavaScript code. Using a proxy tool like Burp Suite, intercept POST requests to the profile settings upload endpoint (e.g., https://website/dashboard/#/settings) and inspect uploaded files for suspicious SVG content with script tags or JavaScript payloads. Additionally, you can scan the upload directories (e.g., https://website/wp-content/uploads/) for SVG files and analyze their contents for embedded scripts. Commands to list SVG files on the server could include: `find /path/to/uploads -name '*.svg'` and to inspect suspicious files: `grep -i '<script' /path/to/uploads/*.svg` or `grep -i 'javascript:' /path/to/uploads/*.svg`. [2]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling SVG file uploads in the profile avatar upload feature, implementing strict server-side validation and sanitization of uploaded files to reject files containing executable JavaScript code, and ensuring that uploaded files are served with appropriate Content Security Policy (CSP) headers to prevent script execution. Additionally, review and patch the Academy LMS installation to a version where this vulnerability is fixed or apply available security updates. Monitoring and logging upload activities for suspicious behavior is also recommended. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart