- Exploit Title: CVE-2024-22909-Online-Exam-System - Cross-Site-Scripting
- Date: 2024-07-01
- Exploit Author: Burak Sevben
- Vendor Homepage: https://code-projects.org/online-examination-system-in-php-with-source-code/
- Software Link: https://download.code-projects.org/details/6e1e8221-95b6-40a5-aa4f-627b4ce3ff5c
- Version: 1.0
- Tested on: Windows 11 Home + PHP 8.2.12, Apache 2.4.58
- CVE: CVE-2024-22909
Onlie Exam System is vulnerable to Cross-Site Scripting via the 'question' parameter at "http://localhost/exam/admin/quesadd.php" Online Exam System is vulnerable to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied data. An attacker could exploit this issue to run arbitrary scripting code in the browser of an unsuspecting user in the context of the affected site. This could allow an attacker to steal cookie-based authentication credentials and launch other attacks.
- Go to http://localhost/exam/admin/quesadd.php, then type the following payload in the 'Question' section
<video/src=x onerror=alert(document.cookie)>- Then click "Quest List" (http://localhost/exam/admin/queslist.php), XSS will be triggered.
- Also, in the student session, XSS will be triggered when a question with an XSS payload is reached.
