Unifiedtransform v2.X is vulnerable to Stored Cross-Site Scripting (XSS) via file upload feature in Syllabus module.
Vendor: https://github.com/changeweb/Unifiedtransform
Step 1: Log in to the Application and Navigate to Academic module.
Step 2: Create Session,Semester,Class,Course from the Academic module with random data.
Step 3: Navigate to Syllabus module, fill in the required details and upload PDF file with XSS payload in the Syllabus File upload input.
Step 4: Navigate to Classes -> Syllabus and click on download.
Step 5: Observe the XSS getting triggered!.
