Advertisement






Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS)

CVE Category Price Severity
CVE-2021-38116 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-07-05
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070037

Below is a copy:

Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS)
|===========================================================================
| # Exploit Title : Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS)
|                                                                           
| # Author : Ali Seddigh                                            
|                                                                           
| # Category : Web Application               
|
| # Vendor Homepage : https://savsoftquiz.com
|                                                                           
| # Tested on : [ Windows ~> 10 ]                                                     
|
| # Version : 5
|                  
| # Date : 2021-07-05                                                        
|===========================================================================

====================================[Description]====================================
The vulnerability is found at the user settings page where the user can change his name and his login credentials. its possible to inject html/js into the fields which will be executed after pressing submit.


====================================[Proof of Concept]====================================
If you installed this software create a new user or you can use the default user shown in the install description

test-link:
http://192.168.1.109/index.php/user/edit_user/<userid>

step1)
login into an account

step2)
click on the top right on you account name and navigate to "My Account"

step3)
insert 

"><script>alert(document.cookie);</script>

into the fields and hit submit

|===========================================================================
| # Discovered By : Ali Triplex                                             
|===========================================================================

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.