# Exploit Title: Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting# Date: 2020-09-02# Exploit Author: Dhruv Patel(dhruvp111296)# Vendor Homepage: https://savsoftquiz.com/# Software Link: https://github.com/savsofts/savsoftquiz_v5.git# Version: 5.0# Tested on: Windows 10
Attack vector:
This vulnerability can results attacker to inject the XSS payload in admin
panel Custom Field section. And Inject JavaScript Malicious code & Steal
User’s cookie
Vulnerable Parameters: title
Steps for reproduce:1. Go to admin panel’s add custom fields page
2. Fill the Title name as<script>alert("HELLO XSS")</script> payload in title.3. Now Click on Save we can see our payload gets executed.4. All Users Can Show our Payload As a xss.
