Login Sign Up

CVE-2025-32808

7.7 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

CVE-2025-32808 is a client-side access control vulnerability in W. W. Norton InQuizitive that allows students to insert arbitrary records of their quiz performance into the backend system. This affects all users of InQuizitive through April 8, 2025, enabling grade manipulation and potential stored XSS attacks.

💻 Affected Systems

Products:
  • W. W. Norton InQuizitive
Versions: All versions through 2025-04-08
Operating Systems: All platforms where InQuizitive is accessible
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the web application interface; no specific OS configuration required.

📦 What is this software?

Inquizitive by Wwnorton

View all CVEs affecting Inquizitive →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Students could manipulate academic records at scale, inject malicious scripts affecting other users, and compromise the integrity of the entire grading system.

🟠

Likely Case

Students manipulating their own quiz scores and grades, potentially affecting academic integrity and institutional trust.

🟢

If Mitigated

With proper server-side validation and access controls, only legitimate quiz submissions would be accepted, preventing unauthorized record insertion.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires student-level access but is technically simple; detailed analysis available in referenced Medium articles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact W. W. Norton for security updates. 2. Monitor official channels for patch announcements. 3. Apply any available updates immediately.

🔧 Temporary Workarounds

Implement Server-Side Validation

all

Add server-side validation for all quiz submissions before accepting them into the backend database.

Temporary Access Restrictions

all

Restrict student access to quiz submission endpoints or implement rate limiting.

🧯 If You Can't Patch

  • Monitor quiz submission logs for anomalous patterns or bulk insertions
  • Implement manual review processes for suspicious grade changes

🔍 How to Verify

Check if Vulnerable:

Test if quiz submissions can be manipulated via browser developer tools or proxy interception without server-side validation.

Check Version:

Check InQuizitive interface or contact vendor for version information.

Verify Fix Applied:

Verify that all quiz submissions undergo server-side validation and cannot be arbitrarily modified client-side.

📡 Detection & Monitoring

Log Indicators:

  • Unusual quiz submission patterns
  • Multiple rapid submissions from single users
  • Modified submission payloads

Network Indicators:

  • HTTP requests with manipulated quiz data parameters
  • Unusual API call sequences to submission endpoints

SIEM Query:

source="inquizitive_logs" AND (event="quiz_submission" AND (parameter_tampering="true" OR submission_rate > threshold))

📊 Metadata

CVE ID: CVE-2025-32808
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE: CWE-602
EPSS Score: 0.23% exploit probability (45.3th percentile)
Published: April 11, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32808, you might also want to check these:

CVE-2025-32469 9.9

A command injection vulnerability in the web interface ping tool of Siemens RUGGEDCOM ROX devices al...

Same vulnerability type (CWE-602)
CVE-2025-33025 9.9

This vulnerability allows authenticated remote attackers to execute arbitrary code with root privile...

Same vulnerability type (CWE-602)
CVE-2025-10640 9.8

CVE-2025-10640 allows unauthenticated attackers to bypass authentication on WorkExaminer Professiona...

Same vulnerability type (CWE-602)