Share
## https://sploitus.com/exploit?id=PACKETSTORM:177658
Details:  
  
Cross Site Scripting vulnerability in Survey JS Survey Creator v.1.9.132  
and before allows an attacker to execute arbitrary code via the input field  
parameters of the creator survey section.  
  
------------------------------------------  
  
[Vulnerability Type]  
Cross Site Scripting (XSS)  
  
------------------------------------------  
  
[Vendor of Product]  
SurveyJS  
  
------------------------------------------  
[Affected Product Code Base]  
Survey Creator - v1.9.132 and before  
  
------------------------------------------  
[Affected Component]  
In every input field of creator survey section vulnerable to reflected and  
stored cross-site scripting.  
  
------------------------------------------  
[Attack Type]  
Context-dependent  
  
------------------------------------------  
[Impact Code execution]  
true  
  
------------------------------------------  
[Impact Information Disclosure]  
true  
  
------------------------------------------  
[Attack Vectors]  
some XSS filter evasion  
  
------------------------------------------  
[Reference]  
https://github.com/surveyjs/survey-creator/issues/5285  
  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]  
true  
  
------------------------------------------  
[Discoverer]  
Jettapol Pumwattanakul  
  
Use CVE-2024-28635  
  
#Proof of concept  
Insert  
[>"><img src="x:x" onerror="alert(document.cookie)">]  
in input fields application reflected cross-site scripting.