header-logo
Suggest Exploit
vendor:
Enterprise Survey Software
by:
Pankaj Kumar Thakur
5.4
CVSS
MEDIUM
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Enterprise Survey Software
Affected Version From: 2022
Affected Version To: 2022
Patch Exists: YES
Related CWE: CVE-2022-29727
CPE: a:surveysparrow:enterprise_survey_software:2022
Metasploit:
Other Scripts:
Platforms Tested: Windows
2022

Survey Sparrow Enterprise Survey Software 2022 – Stored Cross-Site Scripting (XSS)

Survey Sparrow Enterprise Survey Software 2022 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject malicious JavaScript code into the application, which will be executed in the browser of the victim when the vulnerable page is accessed. This can be exploited to steal session cookies and hijack user sessions.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the application. The application should also use a secure flag on the session cookie to prevent it from being sent over an unencrypted connection.
Source

Exploit-DB raw data:

# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
# Date: May 11 2022
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: https://surveysparrow.com/
# Software Link: https://surveysparrow.com/enterprise-survey-software/
# Version: 2022
# Tested on: Windows
# CVE : CVE-2022-29727
# References:
https://www.tenable.com/cve/CVE-2022-29727
https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022

#POC

For Stored XSS

Visit
https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

XSS Executed

Navigation

Suggest Exploit

Services By CQR