CVE-2022-29728 | Survey Sparrow Enterprise Survey Software | Stored cross-site scripting (XSS) vulnerability 2022

Description

On May 11, Survey Sparrow Enterprise Survey Software 2022 has a Reflected cross-site scripting (XSS) vulnerability in the test parameter which was discovered by the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal.

 

Proof of Concept

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for SurveySparrow Inc. The vulnerability was found in Survey Sparrow Enterprise-Survey-Software 2022 and categorized as Exploitable. The manipulation of the argument test with an unknown input leads to a cross-site scripting vulnerability. The CWE definition for the vulnerability is CWE-79 and such vulnerability affects integrity. An attacker may be able to inject the maliciously crafted payload which could alter the appearance and could make it possible to initiate further attacks against site visitors.

 

Solution

 

CVE-ID	Description	Products
CVE-2022-29728	Survey Sparrow Enterprise Survey Software 2022 has a Reflected cross-site scripting (XSS) vulnerability in the test parameter.	Enterprise-Survey-Software 2022

 

Responsible Disclosure Timeline

 

Date	Remarks
April 25, 2022	The request for CVE was submitted to The MITRE Corporation.
May 11, 2022	CVE Published §  CVE-2022-29728

References

• https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022
• https://nvd.nist.gov/vuln/detail/CVE-2022-29728
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29728