Data Illusion Zumbrunn ngSurvey Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Data Illusion Zumbrunn ngSurvey Enterprise Edition versions 3.6.4, on all supported platforms including Windows and Linux servers. This vulnerability allows authenticated remote users with survey creation or editing privileges to inject arbitrary JavaScript into survey content. The crafted content is rendered without proper output encoding, enabling the execution of the injected script in the browsers of other users. This could lead to the theft of session information and unauthorized actions performed on behalf of the affected users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the survey, potentially leading to session hijacking and unauthorized actions.