CVE-2024-34401 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Savsoft Quiz 6.0 application, specifically through the quiz_name parameter in the insert_quiz endpoint (index.php/quiz/insert_quiz/). Stored XSS occurs when malicious input is saved on the server and later rendered in users' browsers without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the context of the victim's session. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1, reflecting a medium severity with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network without privileges but requires user interaction to trigger. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component, potentially impacting user sessions or other components relying on the quiz_name parameter. The impact affects confidentiality and integrity by enabling theft of session tokens, defacement, or unauthorized actions via script execution, but does not affect availability. No patches or known exploits are currently reported, but the vulnerability poses a risk to any deployment of Savsoft Quiz 6.0 that accepts user input for quiz names without proper sanitization or encoding. Attackers could leverage this to perform phishing, session hijacking, or deliver malware payloads through the application interface.

The stored XSS vulnerability in Savsoft Quiz 6.0 can lead to significant security risks for organizations using this software. Successful exploitation allows attackers to execute arbitrary scripts in the browsers of users who view the malicious quiz names, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This compromises user confidentiality and data integrity. While availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences. Educational institutions, training providers, and organizations relying on Savsoft Quiz for assessments and learning management are at risk of targeted attacks, especially if deployed in environments with sensitive user data. The vulnerability's ease of exploitation (no privileges required) and the changed scope increase the risk of widespread impact within affected deployments. Without patches, organizations remain exposed to potential future exploitation once proof-of-concept or exploit code becomes available.

To mitigate CVE-2024-34401, organizations should implement strict input validation and output encoding on the quiz_name parameter to neutralize any malicious scripts before storage and rendering. Employ context-aware encoding (e.g., HTML entity encoding) when displaying user input in web pages. Use Content Security Policy (CSP) headers to restrict script execution and reduce the impact of XSS attacks. Regularly audit and sanitize all user inputs in the application, especially those that are stored and later rendered. Monitor application logs for suspicious input patterns. If possible, isolate the quiz management interface behind authentication and limit access to trusted users. Since no official patch is currently available, consider deploying web application firewalls (WAF) with rules to detect and block XSS payloads targeting the quiz_name parameter. Stay updated with vendor advisories for patches or updates addressing this vulnerability. Additionally, educate users about the risks of clicking on suspicious links or interacting with untrusted content within the application.