Executive Summary

CVE-2026-4973 is a Stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Online Quiz System version 1.0. It exists in the Add Question functionality, specifically in the quiz_question parameter handled by the endpoint add-question.php.

The system does not properly sanitize or encode user input submitted via this parameter. An attacker with teacher-level privileges can inject malicious JavaScript code into the quiz_question field. This malicious input is stored directly in the database without sanitization and later rendered without output encoding on quiz.php and take-quiz.php pages.

As a result, the malicious script executes automatically in the browsers of any users (including students) who view the affected quiz pages, enabling attacks such as session hijacking, account takeover, phishing, and unauthorized actions on behalf of victims.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to execute arbitrary scripts in the browsers of all users viewing the quiz, including students.

• Session cookie theft, which can lead to session hijacking.
• User redirection to malicious sites.
• Phishing attacks targeting users of the quiz system.
• Unauthorized actions performed on behalf of victims.

The attack requires only teacher-level access to inject the malicious payload, but the impact affects all users who view the quiz.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the Add Question functionality of the SourceCodester Online Quiz System, specifically the quiz_question parameter in the endpoint /online-quiz-system/endpoint/add-question.php.

A practical detection method is to attempt injecting a simple XSS payload such as <script>alert('XSS')</script> into the quiz_question field while logged in as a teacher. If the payload executes on quiz.php or take-quiz.php pages, the vulnerability is present.

There are no specific network commands provided, but manual testing through the web interface or automated web vulnerability scanners targeting stored XSS in the quiz_question parameter can be used.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves sanitizing all user inputs before storing them and encoding outputs before rendering them in the application.

Specifically, the quiz_question parameter should be sanitized using functions like htmlspecialchars in PHP to neutralize malicious scripts.

• Sanitize input: $quizQuestion = htmlspecialchars($_POST['quiz_question'], ENT_QUOTES, 'UTF-8');
• Encode output before rendering: <?= htmlspecialchars($quizQuestion, ENT_QUOTES, 'UTF-8') ?>

Additionally, restrict teacher-level access to trusted users only and monitor for suspicious activity related to quiz question submissions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute arbitrary scripts in the browsers of users viewing the quiz, potentially leading to session cookie theft, user redirection, phishing, and unauthorized actions on behalf of victims.

Such impacts can compromise user data confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

Specifically, the potential for session hijacking and unauthorized access could lead to violations of data protection requirements, exposing personal or sensitive information.

Therefore, this vulnerability poses risks that may affect an organization's ability to comply with regulations that mandate protection of user data and secure handling of personal information.

Useful 0 Not Useful 0