Executive Summary

CVE-2026-35403 is a cross-site scripting (XSS) vulnerability found in the survey_accounts module of the LORIS web application versions from 15.10 up to 27.0.2 and 28.0.0.

The issue occurs when a user provides an invalid visit label. Although the input data is properly JSON encoded, the HTTP response does not include the "Content-Type: application/json; charset=utf-8" header.

Because of the missing content-type header, web browsers may interpret the response as HTML instead of JSON, which allows an attacker to execute malicious scripts if a user is tricked into clicking a specially crafted invalid link.

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and was fixed by adding the correct content-type header in later versions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform a cross-site scripting attack by tricking a user into following a malicious link containing an invalid visit label.

The impact includes unauthorized access to sensitive data (high confidentiality impact) because the attacker can execute scripts in the context of the victim's browser.

The integrity impact is low, meaning limited ability to modify data, and there is no impact on availability.

Exploitation requires network access, low privileges, and user interaction (the victim must click the malicious link).

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your LORIS installation is running a vulnerable version (from 15.10 up to 27.0.2 and 28.0.0) and if the survey_accounts module is enabled.

You can test for the vulnerability by sending a request with an invalid visit label to the survey_accounts module and observing the HTTP response headers.

Specifically, you can use curl or similar tools to check if the Content-Type header is missing or not set to 'application/json; charset=utf-8'. For example:

• curl -i -X POST 'http://your-loris-instance/modules/survey_accounts/ajax/ValidateEmailSubmitInput.php' -d 'visit_label=invalid_label'

If the response does not include the header 'Content-Type: application/json; charset=utf-8', the system is likely vulnerable to this XSS issue.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation steps include:

• Upgrade LORIS to version 27.0.3 or 28.0.1 or later, where the vulnerability is fixed by adding the correct Content-Type header.
• If upgrading is not immediately possible, disable the survey_accounts module if it is not in use to prevent exposure.
• Avoid clicking or following suspicious or untrusted links that may contain crafted invalid visit labels.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows for cross-site scripting (XSS) attacks that can lead to unauthorized access to confidential data, as indicated by the high confidentiality impact in the CVSS assessment.

Such unauthorized data access could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.

However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0