Jit_Shellcode

Name of the Vulnerable Software and Affected Versions: W. W. Norton InQuizitive versions through 2025-04-08 Description: The issue allows students to insert arbitrary records of their quiz performance into the backend due to the existence of only client-side access control. This is related to a client-side enforcement of server-side security, specifically CWE-602. Recommendations: For W. W. Norton InQuizitive versions through 2025-04-08, consider disabling the functionality that allows students to insert records of their quiz performance into the backend until a patch is available. Restrict access to the backend to minimize the risk of exploitation. Avoid using the affected functionality in the API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: W. W. Norton InQuizitive through 2025-04-08 Description: The issue allows students to conduct stored XSS attacks against educators via a bonus description, `feedback.choice fb[]`, or `question id`. This enables malicious activities by exploiting these parameters. Recommendations: For W. W. Norton InQuizitive through 2025-04-08, consider restricting access to the bonus description, `feedback.choice fb[]`, and `question id` parameters to minimize the risk of exploitation until a fix is available. As a temporary workaround, educators should be cautious when interacting with student-submitted content.