Unifiedtransform v2.X is vulnerable to Stored Cross-Site Scripting (XSS) via file upload feature in Syllabus module.

Vendor: https://github.com/changeweb/Unifiedtransform

Step 1: Log in to the Application and Navigate to Academic module.

Step 2: Create Session,Semester,Class,Course from the Academic module with random data.

Step 3: Navigate to Syllabus module, fill in the required details and upload PDF file with XSS payload in the Syllabus File upload input.

Step 4: Navigate to Classes -> Syllabus and click on download.

Step 5: Observe the XSS getting triggered!.