CVE-2021-47962 savsofts CVE debrief

Who should care

Organizations running Savsoft Quiz 5.0 for online assessments or training platforms. Security teams managing web application vulnerabilities and developers responsible for input validation in PHP-based quiz applications.

Technical summary

The vulnerability exists in the user account settings page of Savsoft Quiz 5.0, specifically at the edit_user endpoint. Authenticated users can submit malicious HTML and JavaScript payloads through profile fields without proper sanitization. These payloads are stored persistently and execute when other users view the affected profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network accessibility, low complexity, required privileges, and user interaction, with impacts to system confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and output encoding for all user profile fields at the edit_user endpoint
• Implement Content Security Policy (CSP) headers to mitigate script execution
• Review and sanitize stored user data to remove existing malicious payloads
• Upgrade to a patched version when available from the vendor
• Monitor for suspicious profile modifications and script injection attempts

Evidence notes

Vulnerability disclosed via VulnCheck advisory with Exploit-DB reference. NVD status marked as 'Deferred'. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring privileges and user interaction.

Official resources