Automatic Question Paper Generator System 1.0 - Cross-site scripting stored

2022.03.14

Mr Empy (BR)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Automatic Question Paper Generator System 1.0 - Cross-site scripting stored
# Date: 2022-11-03
# Exploit Author: Mr Empy
# Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Linux

Title:
================
Automatic Question Paper Generator System 1.0 - Cross-site scripting stored


Summary:
================
The Automatic Question Paper Generator in version 1.0 is vulnerable to arbitrary persistent javascript code injection (XSS), which can lead to thwarting of browser resources and session cookie theft.


Severity Level:
================
7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


Affected Product:
================
Automatic Question Paper Generator v1.0


Steps to Reproduce:
================

1. Open your browser, create an account on the site and log into it (http://target.com/aqpg/users/login.php).

2. Click on your profile icon and then click on My Account. The field called "First Name", "Middle Name", "Last Name" are vulnerable to XSS, inject the payload into one of them and then save your changes.

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Automatic Question Paper Generator System 1.0 - Cross-site scripting stored

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.