1) Stored XSS in Admin menu. There is XSS in the admin menu. If a user can manipulate the admin menu, he can execute XSS attacks. 2) Stored XSS in Question Formats. There is XSS in question formats. If a user can manipulate the question formats, he can execute XSS attacks. 3) User Permissions. There is no need to give admin permissions to user who is not responsible for the quiz creation.
Stored XSS in Admin Menu
Stored XSS can be induced in the admin menu. If a user can manipulate the admin menu, he can execute XSS attacks.
If a user is able to create a quiz that is stored on the web server and if he/she has access to the admin menu, then he/she will be able to execute an XSS attack. This stored XSS vulnerability affects all versions of PHPBB.