## https://sploitus.com/exploit?id=PACKETSTORM:177658
Details:
Cross Site Scripting vulnerability in Survey JS Survey Creator v.1.9.132
and before allows an attacker to execute arbitrary code via the input field
parameters of the creator survey section.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
SurveyJS
------------------------------------------
[Affected Product Code Base]
Survey Creator - v1.9.132 and before
------------------------------------------
[Affected Component]
In every input field of creator survey section vulnerable to reflected and
stored cross-site scripting.
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
some XSS filter evasion
------------------------------------------
[Reference]
https://github.com/surveyjs/survey-creator/issues/5285
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Jettapol Pumwattanakul
Use CVE-2024-28635
#Proof of concept
Insert
[>"><img src="x:x" onerror="alert(document.cookie)">]
in input fields application reflected cross-site scripting.