CVE-2025-15479
Stored XSS in Zumbrunn NGSurvey Allows Session Hijacking
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: TCS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| data_illusion | zumbrunn_ngsurvey_enterprise_edition | 3.6.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in the survey content and administration functionality of Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4. Authenticated remote users who have survey creation or edit privileges can inject malicious JavaScript code into survey content. When other users view this crafted survey content, the malicious script executes in their browsers, potentially stealing session information and allowing unauthorized actions to be performed on their behalf. This occurs because the application does not properly encode output before rendering the survey content.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with certain privileges to execute arbitrary JavaScript in other users' browsers. This can lead to theft of session information, which may result in unauthorized access to user accounts or actions performed without the users' consent. It can compromise user data and the integrity of the application, potentially leading to further exploitation or data breaches.