CVE-2022-29727 | Survey Sparrow Enterprise Survey Software | Stored cross-site scripting (XSS) vulnerability 2022

 

Description

On May 11, Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter which was discovered by the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal.

 

Proof of Concept

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for SurveySparrow Inc. The vulnerability was found in Survey Sparrow Enterprise-Survey-Software 2022 and categorized as Exploitable. The manipulation of the argument Signup with an unknown input leads to a cross-site scripting vulnerability. The CWE definition for the vulnerability is CWE-79 and such vulnerability affects integrity. An attacker may be able to inject the maliciously crafted payload which could alter the appearance and could make it possible to initiate further attacks against site visitors.

Solution

 

CVE-ID	Description	Products
CVE-2022-29727	Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.	Enterprise-Survey-Software 2022

 

Responsible Disclosure Timeline

Date	Remarks
April 25, 2022	The request for CVE was submitted to The MITRE Corporation.
May 11, 2022	CVE Published §  CVE-2022-29727

 

 

References

• https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022
• https://nvd.nist.gov/vuln/detail/CVE-2022-29727
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29727