# Exploit Title: Relate Learning And Teaching system Version before 2024.1 Stored XSS
# Date: 18/04/2024
# Exploit Author: kai6u
# Vendor Homepage: https://github.com/inducer/
# So # Exploit Title: Relate Learning And Teaching system Version before 2024.1 Stored XSS
# Date: 18/04/2024
# Exploit Author: kai6u
# Vendor Homepage: https://github.com/inducer/
# Software Link: https://github.com/inducer/relate
# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)
# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)
# Tested on: Ubuntu 22.04
# Summary:
Stored XSS in Relate

# Description:
* 【Prerequisite】
* The attacker has stolen the privilege to answer the exam content. For example, attacker is logged in as a student and have obtained Exam tickets to take the exam.
* The exam is using the following question yaml file.
* https://github.com/inducer/relate-sample/blob/main/questions/multi-question-example.yml

* Stored XSS is performed when the payload is stored and the results are referenced when the exam content is submitted.

1) First, Attacker answer question with below payload.
* Paylod:
* `<script>alert(1)</script>`
2) Next, Course Administrator or Instructor logged in and check answer of this student.( with Exam Analytics view)
* Access to quiz_start/inlinemultin url.
3) Executed Payload and Alert was popped up.
* An attacker can use this feature to force arbitrary requests via JavaScript on users who can view the results.( The content of the request to be enforced and the source code of the malicious JavaScript are described below. )

# References
https://portswigger.net/web-security/cross-site-scripting/stored