Description
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit_user endpoint, which execute in the browsers of users viewing the affected profile after submission.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Savsoft Quiz 5.0 includes a persistent cross‑site scripting flaw that allows an authenticated attacker to inject malicious HTML and JavaScript into user profile fields via the edit_user endpoint. When another user opens the affected profile, the injected scripts execute in that user’s browser, potentially allowing cookie theft, session hijacking, or malicious site redirection.

Affected Systems

The vulnerability affects Savsoft Quiz version 5.0 from the Savsoft Quiz product line. No further sub‑version details are provided.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploitation requires valid user credentials and the victim must view the compromised profile, making the exploit less likely without user interaction. An EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation but still warranting timely remediation.

Generated by OpenCVE AI on May 15, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest official release of Savsoft Quiz that contains the XSS fix.
  • Replace or sanitize user input in the edit_user endpoint and ensure all profile output is properly escaped or encoded.
  • Deploy a strict Content Security Policy to restrict the execution of unintended scripts in the application.

Generated by OpenCVE AI on May 15, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit_user endpoint, which execute in the browsers of users viewing the affected profile after submission.
Title Savsoft Quiz 5.0 Persistent Cross-Site Scripting via User Settings
First Time appeared Techkshetrainfo
Techkshetrainfo savsoft Quiz
Weaknesses CWE-79
CPEs cpe:2.3:a:techkshetrainfo:savsoft_quiz:5.0:*:*:*:*:*:*:*
Vendors & Products Techkshetrainfo
Techkshetrainfo savsoft Quiz
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Techkshetrainfo Savsoft Quiz
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T20:14:33.506Z

Reserved: 2026-05-15T15:24:28.119Z

Link: CVE-2021-47962

cve-icon Vulnrichment

Updated: 2026-05-15T20:14:29.751Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:55.770

Modified: 2026-05-15T19:16:55.770

Link: CVE-2021-47962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses