CVE-2024-57370: sunnygkp10’s Online Exam System
Description of CVE-2024-57370
Cross-site Scripting (XSS) vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter.
Vulnerable Code:
As shown in the lines 16 - 18 of index.php, the code checks if the w parameter ecists in the URL using @$GET['w']. If w exists, its value is echoed inside a JavaScript <script> tag, constructing a client-side alert. Since there is no sanitization or validation of the w value, the input is directly inserted into the JavaScript context.
Proof-of-Concept:
Weaponized, an attacker can inject malicious JavaScript into the w parameter and trick a user into clicking on the malicious link.
POC: http://DOMAIN_NAME/Online-Exam-System-/index.php?w=%22);alert(document.cookie);//%22
