CVE-2025-15479
📋 TL;DR
Authenticated users with survey creation/edit privileges in NGSurvey Enterprise Edition 3.6.4 can inject malicious JavaScript into survey content. When other users view these surveys, the JavaScript executes in their browsers, potentially stealing session cookies and performing unauthorized actions. This affects all installations on Windows and Linux servers.
💻 Affected Systems
- Data Illusion Zumbrunn NGSurvey Enterprise Edition
📦 What is this software?
Ngsurvey by Ngsurvey
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system control, exfiltrate sensitive survey data, and compromise user accounts across the organization.
Likely Case
Attackers steal user session cookies to impersonate them, modify survey responses, or access sensitive survey data they shouldn't see.
If Mitigated
Limited to authenticated users only, with minimal impact if proper input validation and output encoding are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. Stored XSS payloads persist until removed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.17
Vendor Advisory: https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28
Restart Required: Yes
Instructions:
1. Backup current installation and database. 2. Download NGSurvey Enterprise Edition 3.6.17 from official vendor portal. 3. Stop NGSurvey service. 4. Install/upgrade to version 3.6.17 following vendor documentation. 5. Restart NGSurvey service. 6. Verify successful upgrade.
🔧 Temporary Workarounds
Temporary Input Sanitization
allImplement custom input validation to strip or encode HTML/JavaScript from survey content fields
Privilege Reduction
allTemporarily remove survey creation/edit privileges from non-essential users
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in survey content
- Enable Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check NGSurvey version via admin interface or configuration files. If version is 3.6.4 or earlier, system is vulnerable.Check Version:
Check NGSurvey admin dashboard or review application configuration files for version informationVerify Fix Applied:
After patching, verify version shows 3.6.17 or later. Test by attempting to inject basic XSS payload into survey content fields and verify it's properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual survey creation/modification patterns
- Multiple failed XSS attempts in web server logs
- Suspicious JavaScript in survey content fields
Network Indicators:
- Unexpected outbound connections from NGSurvey server after survey views
- Data exfiltration patterns
SIEM Query:
source="ngsurvey_logs" AND (event="survey_modified" OR event="survey_created") AND user!="admin" | stats count by user