CVE-2019-25263

Vulnerability

The Zendesk SweetHawk Survey app version 1.6 is affected by a persistent (stored) cross-site scripting (XSS) vulnerability [1][2]. The root cause is improper neutralization of user input during web page generation, classified as CWE-79 [2]. An attacker can inject arbitrary script code, such as ``, into the text of a support ticket [1].

Exploitation

This flaw requires no authentication on the attacker's part beyond being able to submit a support ticket, which is a standard user action [1]. The payload is stored on the server and automatically served to any user who loads the associated survey page. Unlike reflected XSS, the victim does not need to click a malicious link; simply visiting the vulnerable survey page triggers the injected script [1].

Impact

An attacker can execute arbitrary JavaScript in the context of other users' browsers when they view the survey [1]. This can lead to session hijacking, unauthorized actions on behalf of the victim, defacement, or redirection to malicious sites. The CVSS v3 base score is 6.4 (Medium), indicating a moderate severity [2]. The impact on confidentiality and integrity is limited (low), per the CVSS v4 vector [2].

Mitigation

As of December 2019, the vendor had not responded to multiple disclosure attempts, and no official patch was available [1][2]. Users of SweetHawk Survey version 1.6 or earlier should consider disabling the app or implementing web application firewall (WAF) rules to block common XSS payloads until a fix is applied.