CVE-2025-15479 is a stored cross-site scripting (XSS) vulnerability identified in Data Illusion Zumbrunn's NGSurvey Enterprise Edition version 3.6.4. This vulnerability affects installations running on both Windows and Linux servers. The flaw exists in the survey content and administration functionality, where user-supplied input in survey creation or editing is not properly sanitized or output encoded before rendering. As a result, authenticated users with privileges to create or edit surveys can embed arbitrary JavaScript code within survey content. When other users access the affected survey pages, the malicious script executes in their browsers under the context of the vulnerable application. This can lead to theft of session cookies, enabling attackers to hijack user sessions, impersonate victims, and perform unauthorized actions such as modifying surveys or accessing sensitive data. The vulnerability requires authentication with survey creation or editing rights, limiting the attack surface to internal or trusted users. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no need for additional privileges beyond survey editing, and user interaction required (victim must view the malicious survey). No public exploit code or active exploitation has been reported to date. The root cause is insufficient output encoding of survey content, a common issue in web applications that handle rich user input. This vulnerability highlights the importance of secure coding practices, including proper input validation and context-aware output encoding to prevent XSS attacks.

For European organizations using NGSurvey Enterprise 3.6.4, this vulnerability poses a risk of session hijacking and unauthorized actions within the survey management system. Attackers with survey editing privileges could compromise other users’ accounts by injecting malicious scripts, potentially leading to data leakage, manipulation of survey results, or unauthorized administrative actions. This could undermine the integrity and confidentiality of survey data, which may include sensitive or personal information protected under GDPR. Additionally, successful exploitation could facilitate lateral movement within the network if the compromised accounts have elevated privileges. The impact is particularly significant for organizations relying on NGSurvey for internal or external data collection, such as market research firms, academic institutions, or government agencies. Disruption or manipulation of survey data could affect decision-making processes and damage organizational reputation. Although exploitation requires authenticated access and user interaction, the medium severity rating suggests that the risk should not be underestimated, especially in environments with many users or where survey editing privileges are widely granted.

To mitigate CVE-2025-15479, organizations should first apply any available patches or updates from Data Illusion Zumbrunn addressing this vulnerability. If patches are not yet available, implement strict access controls to limit survey creation and editing privileges only to trusted users. Conduct regular audits of user permissions to minimize the number of accounts with elevated rights. Employ web application firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting NGSurvey endpoints. Educate users to be cautious when interacting with survey content, especially if unexpected or suspicious behavior is observed. Consider implementing Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected JavaScript. Additionally, review and enhance input validation and output encoding mechanisms within the application if custom modifications are possible. Monitor logs for unusual activity related to survey creation or editing and for signs of session hijacking attempts. Finally, prepare incident response plans to quickly address potential exploitation scenarios.