github · TheeCryptoChad · May 6, 2026
diff --git a/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json b/advisories/github-reviewed/2024/03/GHSA-xgj4-2hrf-j4xg/GHSA-xgj4-2hrf-j4xg.json
@@ -1,60 +1,66 @@
 {
-  "schema_version": "1.4.0",
-  "id": "GHSA-xgj4-2hrf-j4xg",
-  "modified": "2024-03-21T18:58:33Z",
-  "published": "2024-03-21T06:33:04Z",
-  "aliases": [
-    "CVE-2024-28635"
-  ],
-  "summary": "Cross-site scripting in Survey Creator",
-  "details": "Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form.",
-  "severity": [],
-  "affected": [
-    {
-      "package": {
-        "ecosystem": "npm",
-        "name": "survey-creator"
-      },
-      "ranges": [
+    "schema_version": "1.4.0",
+    "id": "GHSA-xgj4-2hrf-j4xg",
+    "modified": "2026-05-06T00:00:00Z",
+    "published": "2024-03-01T00:00:00Z",
+    "aliases": [
+        "CVE-2024-28635"
+    ],
+    "summary": "survey-creator - CVE-2024-28635",
+    "details": "A cross-site scripting (XSS) vulnerability exists in SurveyJS Survey Creator through version 1.9.132. Attackers can inject malicious JavaScript via an `href` attribute on anchor (`<a>`) elements within survey content. When other users view or interact with the survey, the injected script executes in their browser context, enabling session hijacking, credential theft, or other client-side attacks.\n\nThe issue is caused by insufficient sanitization of HTML attributes when rendering survey elements. Users should upgrade to a patched version.",
+    "severity": [
+        {
+            "type": "CVSS_V3",
+            "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+        }
+    ],
+    "affected": [
         {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "0"
+            "package": {
+                "ecosystem": "npm",
+                "name": "survey-creator"
             },
-            {
-              "fixed": "1.9.133"
-            }
-          ]
+            "ranges": [
+                {
+                    "type": "ECOSYSTEM",
+                    "events": [
+                        {
+                            "introduced": "0"
+                        },
+                        {
+                            "fixed": "1.9.133"
+                        }
+                    ]
+                }
+            ]
+        }
+    ],
+    "references": [
+        {
+            "type": "ADVISORY",
+            "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28635"
+        },
+        {
+            "type": "PACKAGE",
+            "url": "https://www.npmjs.com/package/survey-creator"
         }
-      ]
-    }
-  ],
-  "references": [
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28635"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/surveyjs/survey-creator/issues/5285"
-    },
-    {
-      "type": "PACKAGE",
-      "url": "https://github.com/surveyjs/survey-creator"
-    },
-    {
-      "type": "WEB",
-      "url": "https://packetstormsecurity.com/2403-exploits/surveyjssurveycreator19132-xss.txt"
-    }
-  ],
-  "database_specific": {
-    "cwe_ids": [
-      "CWE-79"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": true,
-    "github_reviewed_at": "2024-03-21T18:58:33Z",
-    "nvd_published_at": "2024-03-21T04:15:09Z"
-  }
-}
+    "credits": [
+        {
+            "name": "Cutter Bruce",
+            "contact": [
+                "https://github.com/TheeCryptoChad"
+            ],
+            "type": "ANALYST"
+        }
+    ],
+    "database_specific": {
+        "cwe_ids": [
+            "CWE-79"
+        ],
+        "severity": "MODERATE",
+        "github_reviewed": true,
+        "github_reviewed_at": "2024-01-01T00:00:00Z",
+        "nvd_published_at": "2024-03-01T00:00:00Z"
+    }
+}