Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS)

2021.07.05
ir Ali Seddigh (IR) ir
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

|=========================================================================== | # Exploit Title : Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS) | | # Author : Ali Seddigh | | # Category : Web Application | | # Vendor Homepage : https://savsoftquiz.com | | # Tested on : [ Windows ~> 10 ] | | # Version : 5 | | # Date : 2021-07-05 |=========================================================================== ====================================[Description]==================================== The vulnerability is found at the user settings page where the user can change his name and his login credentials. its possible to inject html/js into the fields which will be executed after pressing submit. ====================================[Proof of Concept]==================================== If you installed this software create a new user or you can use the default user shown in the install description test-link: http://192.168.1.109/index.php/user/edit_user/<userid> step1) login into an account step2) click on the top right on you account name and navigate to "My Account" step3) insert "><script>alert(document.cookie);</script> into the fields and hit submit |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top