CVE-2021-27961

Vulnerability

Analysis

CVE-2021-27961 describes a reflected cross-site scripting (XSS) vulnerability in Evasys survey software versions 7.1 (2152) through 8.0 (2202). The flaw resides in the indexeva.php script, specifically within the action GET parameter. The application fails to sanitize or validate user-supplied input before including it in the response, allowing an attacker to inject arbitrary HTML or JavaScript [1][2].

Attack

Vector and Prerequisites

The vulnerability is exploitable by sending a crafted URL to a victim that includes malicious payloads in the action parameter. A proof-of-concept demonstrates that injecting "><img src=x onpointerenter="alert()" triggers script execution. No authentication is required to reach the vulnerable endpoint, though the victim must click or interact with the link (e.g., via email or a compromised site) as a reflected XSS vector. The attack surface is limited to users who access the manipulated URL [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session with the Evasys application. This can lead to session hijacking, defacement, or theft of sensitive data, such as survey responses or authentication tokens, depending on the application's functionality. The CVSS v3 base score of 6.5 (Medium) reflects a significant confidentiality and integrity impact without requiring special privileges [1][2].

Mitigation

Users should upgrade to a patched version of Evasys beyond 8.0 (2202). The vendor's blog may contain additional guidance. Given that this CVE was published in 2025 but refers to older software versions, administrators of impacted deployments should verify their current version and apply vendor-recommended updates or security patches to mitigate the risk [1][2].