============================================================================================================================================= | # Title : Lost and Found Information System 1.0 WYSIWYG code injection vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-lfis-zip.zip | ============================================================================================================================================= poc : [+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . [+] Line 86 : Set your Target. [+] Line 27 : set your payload.

Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================