CVE-2021-47962: Savsoft Quiz XSS Vulnerability

CVE-2021-47962 Overview

CVE-2021-47962 is a stored cross-site scripting (XSS) vulnerability in Savsoft Quiz 5.0, an open-source online quiz and examination platform. The flaw resides in the user account settings page exposed through the edit_user endpoint. Authenticated attackers can inject arbitrary HTML and JavaScript into profile fields, which are then stored server-side without proper sanitization or output encoding. When another user views the affected profile, the injected payload executes in their browser context. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated attackers can hijack sessions, steal authentication cookies, perform actions on behalf of other users, or pivot to administrative accounts when an administrator views the malicious profile.

Affected Products

• Savsoft Quiz 5.0
• Savsoft Quiz v5 (source distribution on the vendor GitHub repository)
• Deployments referencing the edit_user profile endpoint

Discovery Timeline

• 2026-05-15 - CVE-2021-47962 published to NVD
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2021-47962

Vulnerability Analysis

The vulnerability is a persistent (stored) XSS issue [CWE-79] in the Savsoft Quiz 5.0 user profile workflow. The application accepts user-supplied content submitted to the edit_user endpoint and writes it to the database without neutralizing HTML control characters. When that profile content is later rendered, the application emits the data into the HTML response without contextual output encoding.

Because the payload is stored, exploitation does not require the attacker to lure each victim with a crafted link. Any user, including instructors or administrators, who views the modified profile triggers script execution. This expands the blast radius compared with reflected XSS and enables follow-on attacks such as session theft, forced state-changing requests, and privilege escalation.

Public exploitation details are documented in Exploit-DB entry 49825 and the VulnCheck advisory for SavSoft Quiz.

Root Cause

The root cause is missing input validation and missing output encoding on profile fields handled by the edit_user action. The application trusts authenticated user input and writes the raw string to persistent storage. On render, the field is interpolated into HTML markup without HTML-entity encoding, allowing <script> tags and event-handler attributes to be parsed by the browser.

Attack Vector

Exploitation requires a low-privileged authenticated account on the target Savsoft Quiz instance. The attacker navigates to their account settings page, submits a payload containing JavaScript through one of the profile input fields, and saves the change. Any subsequent viewer of that profile receives the malicious markup as part of the page response, and the script executes within their session context. The vulnerability requires user interaction in the form of a victim viewing the profile.

No verified proof-of-concept code is published in the CVE record. For technical reproduction steps, refer to the Savsoft Quiz v5 repository and the Exploit-DB submission.

Detection Methods for CVE-2021-47962

Indicators of Compromise

• Profile fields in the Savsoft Quiz user database containing HTML tags such as <script>, <img onerror=, <svg onload=, or javascript: URIs.
• HTTP POST requests to the edit_user endpoint with body parameters containing angle brackets or encoded script payloads.
• Outbound browser requests from authenticated sessions to unexpected third-party domains shortly after rendering a user profile page.

Detection Strategies

• Inspect web server access logs for POST /edit_user requests where body or query parameters contain HTML metacharacters or known XSS strings.
• Run database queries against the users table to identify stored values containing <, >, onerror=, onload=, or javascript:.
• Deploy a web application firewall rule set, such as OWASP CRS, in front of the application and review blocked events for the edit_user path.

Monitoring Recommendations

• Alert on authenticated sessions that issue document.cookie reads or anomalous fetch/XHR calls immediately after loading a profile view.
• Track administrator account logins followed by unexpected privilege changes or new user creations, which may indicate session theft via XSS.
• Forward web server, WAF, and application logs to a centralized analytics platform and build correlation rules around the edit_user endpoint.

How to Mitigate CVE-2021-47962

Immediate Actions Required

• Audit all existing user profile records and strip or HTML-encode stored markup before redeploying the application.
• Restrict access to the Savsoft Quiz instance to trusted networks, or place it behind authenticated VPN access until a fix is applied.
• Rotate session tokens and force a password reset for administrative accounts that may have viewed untrusted profiles.

Patch Information

No official patched version is referenced in the CVE record at the time of publication. Monitor the Savsoft Quiz v5 GitHub repository and the vendor website for security updates. Until a vendor patch is available, apply server-side input validation and contextual output encoding on every field rendered from the users table.

Workarounds

• Implement a server-side allowlist that rejects HTML metacharacters in profile fields handled by edit_user.
• Apply HTML-entity encoding on output rendering for every user-controlled profile field.
• Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to the application origin.
• Enable HttpOnly and Secure flags on session cookies to reduce the impact of successful script execution.

# Example nginx Content Security Policy header to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;