CVE-2025-15479 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting NGSurvey Enterprise Edition version 3.6.4, a survey management platform by Data Illusion Zumbrunn. The vulnerability exists in the survey content and administration modules on both Windows and Linux server platforms. Authenticated users with privileges to create or edit surveys can inject arbitrary JavaScript code into survey content fields. This malicious script is stored persistently and executed in the browsers of other users who view the infected survey content. The root cause is the lack of proper output encoding or sanitization of user-supplied survey content before rendering it in the web interface. Exploitation does not require elevated privileges beyond survey editing rights, but does require authentication and some user interaction (viewing the malicious survey). The impact includes theft of session cookies, enabling session hijacking, and the ability to perform unauthorized actions on behalf of other users. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no additional privileges beyond survey editing, and user interaction required. The vulnerability has a medium severity score of 5.1. No public exploit code or active exploitation has been reported yet. The vulnerability affects all supported platforms of NGSurvey 3.6.4, making it broadly relevant to deployments of this version. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for mitigation.

For European organizations using NGSurvey Enterprise 3.6.4, this vulnerability poses a risk of session hijacking and unauthorized actions within the survey platform, potentially leading to data leakage or manipulation of survey results. Since NGSurvey is often used for collecting sensitive feedback and data, exploitation could compromise confidentiality and integrity of survey data. The stored XSS could also be leveraged to pivot to other internal systems if the platform is integrated with broader enterprise environments. Organizations with multiple users having survey editing privileges are at higher risk, as attackers require authenticated access with these rights. The impact on availability is limited, but the breach of trust and data integrity could have regulatory and reputational consequences, especially under GDPR. Attackers could exploit this vulnerability to impersonate users, escalate privileges indirectly, or conduct phishing attacks within the organization. The medium severity indicates a moderate but actionable threat that should not be ignored.

1. Immediately restrict survey creation and editing privileges to the minimum number of trusted users to reduce the attack surface. 2. Implement strict input validation and output encoding on all user-supplied survey content fields to neutralize malicious scripts. 3. Monitor and audit survey content for suspicious or unexpected JavaScript code injections. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the survey platform. 5. Use web application firewalls (WAFs) with rules targeting XSS payloads to detect and block exploitation attempts. 6. If a patch becomes available from Data Illusion Zumbrunn, prioritize its deployment across all affected systems. 7. Educate users to be cautious when interacting with survey content, especially if unexpected behavior is observed. 8. Regularly review user roles and permissions to ensure least privilege principles are enforced. 9. Consider isolating the NGSurvey platform in a segmented network zone to limit lateral movement if compromised. 10. Enable multi-factor authentication (MFA) for all users to reduce the risk of credential compromise facilitating exploitation.