Mindskip xzs-mysql 学之思开源考试系统 Exam Edit edit cross site scripting
Description
A stored XSS vulnerability in Mindskip xzs-mysql 3.9.0 allows an admin to inject arbitrary JavaScript via exam edit fields, affecting student viewers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Mindskip xzs-mysql 3.9.0 allows an admin to inject arbitrary JavaScript via exam edit fields, affecting student viewers.
Vulnerability
The stored Cross-Site Scripting (XSS) vulnerability exists in Mindskip xzs-mysql (学之思开源考试系统) version 3.9.0. The affected endpoint is /api/admin/question/edit of the Exam Edit Handler [1]. An authenticated administrator can manipulate the title or content parameters to inject malicious JavaScript. The input is not sanitized before being stored and later rendered in the context of student users [1].
Exploitation
An attacker must have administrator-level access to the application backend. The attacker sends a crafted POST request to /api/admin/question/edit containing a malicious payload (e.g., `) in the title or content` parameter [1]. The payload is stored in the database. When a student user views the exam (e.g., question listing or exam details), the script executes in their browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any authenticated student user's browser [1]. This can lead to session hijacking, credential theft, or defacement. The impact is limited to student users; administration accounts are not directly affected by the stored payload [1].
Mitigation
The vendor was contacted but did not respond [1]. As of publication, no official patch or fixed version is available. The application may be reaching end-of-life (EOL) status. Users should restrict admin access to trusted personnel and consider input sanitization as a workaround. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mindskip/xzs-mysql 学之思开源考试系统v5Range: 3.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the exam edit endpoint allows arbitrary HTML/JavaScript to be stored in question title, content, and analysis fields."
Attack vector
An attacker who has authenticated to the admin backend sends a POST request to /api/admin/question/edit with a JSON payload containing XSS payloads in the title, items[].content, or analyze fields [ref_id=1]. The server stores the unsanitized input in the database. When a student user views the exam, the malicious script executes in their browser because the application renders the stored content without neutralizing HTML/JavaScript [CWE-79]. The attack is remote and requires only admin-level authentication.
Affected code
The affected endpoint is /api/admin/question/edit in the xzs-mysql 3.9.0 application [ref_id=1]. The vulnerability lies in the exam edit handler, which accepts user-supplied values for the title, items[].content, and analyze fields without sanitizing them for HTML/JavaScript content.
What the fix does
No patch has been published by the vendor, who did not respond to the disclosure [ref_id=1]. The advisory recommends that input to the title, content, and analyze fields be properly sanitized or encoded before storage, and that output be HTML-escaped when rendered to student users. Without a fix, the application remains vulnerable to stored cross-site scripting via the exam edit functionality.
Preconditions
- authAttacker must have valid admin-level authentication to access the /api/admin/question/edit endpoint.
- networkAttacker must be able to send HTTP POST requests to the target server.
- inputThe attacker must include a JavaScript payload in the title, items[].content, or analyze fields of the JSON body.
Reproduction
1. Authenticate to the admin backend of xzs-mysql 3.9.0. 2. Send a POST request to /api/admin/question/edit with a JSON body containing an XSS payload in the title field, e.g. `"title":"<IMG SRC=/ onerror=\"alert(String.fromCharCode(88,83,83))\"></img>"`. 3. Log in as a student user and view the exam question — the JavaScript payload executes in the student's browser [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/cydtseng/Vulnerability-Research/blob/main/xzs-mysql/StoredXSS-ExamEdit.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.