Headline
SurveyJS Survey Creator 1.9.132 Cross Site Scripting
SurveyJS Survey Creator versions 1.9.132 and below suffer from both reflective and persistent cross site scripting vulnerabilities.
Details:
Cross Site Scripting vulnerability in Survey JS Survey Creator v.1.9.132
and before allows an attacker to execute arbitrary code via the input field
parameters of the creator survey section.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
SurveyJS
[Affected Product Code Base]
Survey Creator - v1.9.132 and before
[Affected Component]
In every input field of creator survey section vulnerable to reflected and
stored cross-site scripting.
[Attack Type]
Context-dependent
[Impact Code execution]
true
[Impact Information Disclosure]
true
[Attack Vectors]
some XSS filter evasion
[Reference]
https://github.com/surveyjs/survey-creator/issues/5285
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Jettapol Pumwattanakul
Use CVE-2024-28635
#Proof of concept
Insert
[>"><img src="x:x" onerror="alert(document.cookie)">]
in input fields application reflected cross-site scripting.
Related news
Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form.