# Exploit Title: Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting # Date: 2020-09-02 # Exploit Author: Dhruv Patel(dhruvp111296) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://github.com/savsofts/savsoftquiz_v5.git # Version: 5.0 # Tested on: Windows 10 Attack vector: This vulnerability can results attacker to inject the XSS payload in admin panel Custom Field section. And Inject JavaScript Malicious code & Steal User’s cookie Vulnerable Parameters: title Steps for reproduce: 1. Go to admin panel’s add custom fields page 2. Fill the Title name as payload in title. 3. Now Click on Save we can see our payload gets executed. 4. All Users Can Show our Payload As a xss.