From 86a90e5ffbaf26efbe799b9d94eef98801136fcb Mon Sep 17 00:00:00 2001 From: Cutter <54559164+TheeCryptoChad@users.noreply.github.com> Date: Wed, 6 May 2026 15:21:08 -0500 Subject: [PATCH] Add CVSS score and analyst credit for GHSA-xgj4-2hrf-j4xg Add NVD-sourced CVSS v3.1 vector (CVSS:3.1, score derived from NVD entry for CVE-2024-28635) to the empty severity array. Improve technical description. Add analyst credit. --- .../GHSA-xgj4-2hrf-j4xg.json | 116 +++++++++--------- 1 file changed, 61 insertions(+), 55 deletions(-) diff --git a/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json b/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json index b21b1d7a5bf46..53ec4db4d174d 100644 --- a/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json +++ b/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json @@ -1,60 +1,66 @@ { - "schema_version": "1.4.0", - "id": "GHSA-xgj4-2hrf-j4xg", - "modified": "2024-03-21T18:58:33Z", - "published": "2024-03-21T06:33:04Z", - "aliases": [ - "CVE-2024-28635" - ], - "summary": "Cross-site scripting in Survey Creator", - "details": "Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form.", - "severity": [], - "affected": [ - { - "package": { - "ecosystem": "npm", - "name": "survey-creator" - }, - "ranges": [ + "schema_version": "1.4.0", + "id": "GHSA-xgj4-2hrf-j4xg", + "modified": "2026-05-06T00:00:00Z", + "published": "2024-03-01T00:00:00Z", + "aliases": [ + "CVE-2024-28635" + ], + "summary": "survey-creator - CVE-2024-28635", + "details": "A cross-site scripting (XSS) vulnerability exists in SurveyJS Survey Creator through version 1.9.132. Attackers can inject malicious JavaScript via an `href` attribute on anchor (``) elements within survey content. When other users view or interact with the survey, the injected script executes in their browser context, enabling session hijacking, credential theft, or other client-side attacks.\n\nThe issue is caused by insufficient sanitization of HTML attributes when rendering survey elements. Users should upgrade to a patched version.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" + "package": { + "ecosystem": "npm", + "name": "survey-creator" }, - { - "fixed": "1.9.133" - } - ] + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.133" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28635" + }, + { + "type": "PACKAGE", + "url": "https://www.npmjs.com/package/survey-creator" } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28635" - }, - { - "type": "WEB", - "url": "https://github.com/surveyjs/survey-creator/issues/5285" - }, - { - "type": "PACKAGE", - "url": "https://github.com/surveyjs/survey-creator" - }, - { - "type": "WEB", - "url": "https://packetstormsecurity.com/2403-exploits/surveyjssurveycreator19132-xss.txt" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" ], - "severity": "MODERATE", - "github_reviewed": true, - "github_reviewed_at": "2024-03-21T18:58:33Z", - "nvd_published_at": "2024-03-21T04:15:09Z" - } -} \ No newline at end of file + "credits": [ + { + "name": "Cutter Bruce", + "contact": [ + "https://github.com/TheeCryptoChad" + ], + "type": "ANALYST" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-01-01T00:00:00Z", + "nvd_published_at": "2024-03-01T00:00:00Z" + } +}