CVE-2024-57370: sunnygkp10’s Online Exam System

less than 1 minute read

Description of CVE-2024-57370

Cross-site Scripting (XSS) vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter.

Vulnerable Code:

As shown in the lines 16 - 18 of index.php, the code checks if the w parameter ecists in the URL using @$GET['w']. If w exists, its value is echoed inside a JavaScript <script> tag, constructing a client-side alert. Since there is no sanitization or validation of the w value, the input is directly inserted into the JavaScript context.

Proof-of-Concept:

Weaponized, an attacker can inject malicious JavaScript into the w parameter and trick a user into clicking on the malicious link.

POC: http://DOMAIN_NAME/Online-Exam-System-/index.php?w=%22);alert(document.cookie);//%22

References

NIST CVE Link
CVE Link
Online Exam System GitHub

Share on

Twitter Facebook LinkedIn

Roy Blume

CVE-2024-57370: sunnygkp10’s Online Exam System

Description of CVE-2024-57370

Vulnerable Code:

Proof-of-Concept:

References

Share on

You may also enjoy

CVE-2024-57372: kaixin1995’s InformationPush

CVE-2024-57369: Typecho v.1.2.1