CVE-2024-36043 in Form Library
Summary
by MITRE • 05/18/2024
question_image.ts in SurveyJS Form Library before 1.10.4 allows contentMode=youtube XSS via the imageLink property.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2025
The vulnerability identified as CVE-2024-36043 resides within the SurveyJS Form Library, specifically in the question_image.ts component, affecting versions prior to 1.10.4. This security flaw represents a cross-site scripting vulnerability that emerges through the imageLink property when the contentMode is set to youtube. The SurveyJS Form Library is a widely used JavaScript library for creating interactive surveys and forms, making this vulnerability particularly concerning for organizations that rely on web-based data collection systems. The issue manifests when user-supplied input is not properly sanitized before being rendered in the context of a youtube content mode, creating an avenue for malicious actors to inject arbitrary JavaScript code into the application's response.
The technical mechanism behind this vulnerability stems from insufficient input validation and sanitization within the imageLink property handling logic. When a survey creator specifies a youtube content mode for an image question, the library processes the imageLink parameter to extract and embed youtube video content. However, the implementation fails to adequately sanitize user-provided URLs, allowing malicious payloads to persist in the imageLink field. This vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws, specifically categorized as injection vulnerabilities where untrusted data enters the application through a vulnerable input point. The flaw operates under the principle that user-controllable parameters are directly embedded into dynamic content without proper context-appropriate escaping or validation.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform a wide range of malicious activities within the context of the vulnerable application. An attacker could leverage this vulnerability to steal user sessions, redirect victims to phishing sites, or execute arbitrary commands on behalf of authenticated users. The implications are particularly severe in enterprise environments where survey forms might be used for sensitive data collection, employee feedback, or customer surveys. The vulnerability could be exploited through various attack vectors including social engineering campaigns where malicious actors craft specially crafted survey questions or by compromising survey creation interfaces. According to ATT&CK framework, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1566.002 (Phishing: Spearphishing Link) as attackers could create malicious survey forms to deliver payloads.
Organizations utilizing SurveyJS Form Library should prioritize immediate remediation by upgrading to version 1.10.4 or later, which includes proper input sanitization measures for the imageLink property. Additionally, implementing content security policies that restrict script execution and employing proper input validation at multiple layers of the application can provide defense-in-depth measures. The vulnerability demonstrates the critical importance of sanitizing all user-controllable inputs, particularly in rich text and media embedding components. Security practitioners should also consider implementing web application firewalls to detect and block suspicious patterns in survey creation parameters. Organizations should conduct thorough security testing of their survey applications to identify similar vulnerabilities in other components and ensure comprehensive protection against similar cross-site scripting threats.