CVE-2020–29205

#Exploit Title : Projectworlds-online-examination-systen-in-php 1.0 is vulnerable to Stored XSS via the “name” parameter on signup page

#Exploit Author : Nikhil Kumar

#vendor : Project Worlds

#Application Link : https://github.com/projectworldsofficial/online-examination-systen-in-php

#Version: 1.0

# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-29205

# CVE: CVE-2020–29205

What is Stored XSS :

XSS is Stand for Cross-Site Scripting. Stored XSS is a type of XSS. In Which an attacker permanently inject the malicious java script in database of the target server. A common impact of XSS are that the attacker can steal the cookies of users , deface the web application and redirect the user’s to phishing pages.
Stored XSS is also known as Persistent XSS.

Attack Vector:
An attacker to inject the XSS payload in the vulnerable input point and each time user’s visit application the XSS triggers and Attacker can able to redirect to some malicious or phishing webpage according to the crafted payload.

Vulnerable Parameter: “name=” on signup page

Remediation :
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Author: Nikhil Kumar
https://www.linkedin.com/in/nikhil-kumar-4b9443166/