CVE-2024-34401 in Savsoft Quiz
Summary
by MITRE • 05/03/2024
Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2025
The vulnerability CVE-2024-34401 represents a critical stored cross-site scripting flaw discovered in Savsoft Quiz version 6.0, a popular web-based quiz management system. This vulnerability exists within the application's input validation mechanisms, specifically affecting the quiz_name parameter in the index.php/quiz/insert_quiz/ endpoint. The flaw allows authenticated attackers with privileges to create or modify quiz content to inject malicious javascript code that persists in the application's database and executes in the context of other users' browsers when they view the affected quiz.
The technical implementation of this vulnerability stems from insufficient sanitization of user input in the quiz_name parameter. When administrators or authorized users submit quiz names through the insert_quiz functionality, the application fails to properly validate or escape special characters that could be interpreted as executable javascript code. This stored XSS vulnerability operates under CWE-79 which classifies improper neutralization of input during web page generation as a fundamental weakness in web application security. The vulnerability allows attackers to execute malicious scripts in the victim's browser, potentially leading to session hijacking, credential theft, or redirection to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat vector that can be exploited by attackers who gain access to the application's administrative or user accounts. Once an attacker successfully injects malicious javascript code through the quiz_name parameter, the payload executes whenever any user accesses the quiz page, potentially affecting multiple users simultaneously. This vulnerability aligns with ATT&CK technique T1531 which focuses on the use of malicious code in web applications, and T1071.001 which covers application layer protocol usage for command and control communications. The stored nature of this vulnerability means that the malicious code remains persistent in the application's database until manually removed, creating a long-term security risk.
Mitigation strategies for CVE-2024-34401 should prioritize immediate patching of the Savsoft Quiz application to the latest version that addresses this vulnerability. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent similar issues in other application components. The principle of least privilege should be enforced by limiting administrative access to only necessary personnel and implementing proper access controls for quiz creation and modification functions. Additionally, regular security assessments including web application firewalls and automated vulnerability scanning should be deployed to detect and prevent similar stored XSS vulnerabilities in other application components. Security monitoring should include detection of suspicious javascript payloads in application data fields, and regular security training should be provided to administrators to recognize and prevent social engineering attempts that might lead to privilege escalation.