CVE-2024-34401

MEDIUM

Savsoft Quiz 6.0 - Stored Cross-Site Scripting via Quiz Name Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-34401. PoCs published by Eren Sen.

AI-analyzed exploit summary This is a functional proof-of-concept for a persistent XSS vulnerability in Savsoft Quiz v6.0 Enterprise. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'quiz_name' parameter, which is then stored and executed when accessed by other users.

Description

Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.

Exploits (1)

exploitdb WORKING POC

by Eren Sen · textwebappsphp

https://www.exploit-db.com/exploits/51988

View Code ZIP pw:eip

This is a functional proof-of-concept for a persistent XSS vulnerability in Savsoft Quiz v6.0 Enterprise. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'quiz_name' parameter, which is then stored and executed when accessed by other users.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Savsoft Quiz v6.0 Enterprise

Auth required

Prerequisites: Valid session cookie (ci_session) · Access to the quiz edit functionality

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/51988

Scores

CVSS v3 6.1

EPSS 0.0021

EPSS Percentile 43.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

techkshetrainfo/savsoft_quiz 6.0

Published May 03, 2024

Tracked Since Feb 18, 2026