Details:

Cross Site Scripting vulnerability in Survey JS Survey Creator v.1.9.132
and before allows an attacker to execute arbitrary code via the input field
parameters of the creator survey section.

 ------------------------------------------

 [Vulnerability Type]
 Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
SurveyJS

------------------------------------------
[Affected Product Code Base]
Survey Creator - v1.9.132 and before

------------------------------------------
[Affected Component]
In every input field of creator survey section vulnerable to reflected and
stored cross-site scripting.

------------------------------------------
[Attack Type]
Context-dependent

------------------------------------------
[Impact Code execution]
true

------------------------------------------
[Impact Information Disclosure]
true

------------------------------------------
[Attack Vectors]
some XSS filter evasion

------------------------------------------
[Reference]
https://github.com/surveyjs/survey-creator/issues/5285

------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------
[Discoverer]
Jettapol Pumwattanakul

Use CVE-2024-28635

#Proof of concept
Insert
[>"><img src="x:x" onerror="alert(document.cookie)">]
in input fields application reflected cross-site scripting.