CVE-2025-15479 | THREATINT

Description

Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users’ browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-07 | Updated 2026-01-07 | Assigner TCS-CERT

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

NGSurvey Enterprise 3.6.4 stored XSS via survey content enables arbitrary JavaScript execution

Product status

Default status

unaffected

3.6.4 (semver) before 3.6.17

affected

Timeline

2025-05-12:	Vulnerability discovered by the pentester
2025-05-22:	Report submitted to TCS-CERT
2025-05-27:	Vulnerability Report to Vendor through email (support@dataillusion.com)
2025-05-17:	Vendor acknowledged the report and confirmed fixes in v3.6.17
2026-01-07:	CVE ID assigned
2026-01-07:	Vulnerability Disclosure

Credits

Thomas Clair finder

References

docs.ngsurvey.com/installation-setup/change-log vendor-advisory

cds.thalesgroup.com/en/tcs-cert/CVE-2025-15479 third-party-advisory

cve.org (CVE-2025-15479)

nvd.nist.gov (CVE-2025-15479)

Download JSON