Overview
CVE-2025-13829 identifies a critical Incorrect Authorization vulnerability affecting Data Illusion Zumbrunn NGSurvey. This flaw allows any authenticated user within the system to potentially obtain the private and sensitive information of other users. This unauthorized access poses a significant risk to user privacy and the overall security of the NGSurvey platform.
Published on 2025-12-01T16:15:51.690, this vulnerability highlights the importance of robust access control mechanisms in web applications.
Technical Details
The vulnerability stems from a flaw in the authorization logic of NGSurvey. Specifically, the system fails to properly validate user permissions when accessing certain API endpoints. This allows an attacker, after successfully logging in with a valid account, to make requests that return data belonging to other users.
The following sensitive information can be retrieved:
- APIKEY: A long-lived (1-year session) key providing extensive access to a user’s account.
- RefreshToken: A short-lived (10-minute session) token used to refresh access tokens, enabling sustained access.
- Password (hashed with bcrypt): Exposure of password hashes weakens the security posture, even with bcrypt, especially if paired with other user data.
- User IP Address: Can be used for tracking, geolocation, and potentially deanonymization.
- Email Address: Enables phishing attacks and other forms of social engineering.
- Full Name: Further facilitates social engineering and identity theft.
CVSS Analysis
While the provided information states “Severity: N/A” and “CVSS Score: N/A”, a vulnerability of this nature typically warrants a high to critical CVSS score. Given the potential for widespread data exposure, a hypothetical CVSS score would likely fall in the range of 8.0-10.0, depending on the exploitability and scope of impact. Factors contributing to a high score would include:
- Confidentiality Impact: High (complete disclosure of user data).
- Attack Complexity: Low (relatively easy to exploit once an account is compromised).
- Privileges Required: Low (only requires a valid user account).
- User Interaction: None
A proper CVSS score assessment should be conducted by security professionals after further analysis of the vulnerability.
Possible Impact
The exploitation of CVE-2025-13829 can lead to severe consequences:
- Data Breach: Massive exposure of user data, leading to potential regulatory fines and reputational damage.
- Account Takeover: Attackers can use the stolen APIKEY or RefreshToken to gain complete control over user accounts.
- Identity Theft: Stolen personal information can be used for malicious purposes, including identity theft and fraud.
- Phishing Attacks: Email addresses and full names can be used to craft targeted phishing campaigns.
- Reputational Damage: Loss of trust in NGSurvey and Data Illusion.
Mitigation and Patch Steps
The recommended mitigation is to immediately apply the patch provided by Data Illusion in NGSurvey version 3.6.17 (released on 2025-05-28). This update addresses the incorrect authorization issue. Specifically:
- Upgrade NGSurvey: Upgrade your NGSurvey instance to version 3.6.17 or later.
- Review Access Controls: Thoroughly review and strengthen access control mechanisms within the application.
- Monitor for Suspicious Activity: Implement monitoring systems to detect and respond to any unusual activity.
- Consider Password Resets: As a precaution, consider requiring all users to reset their passwords, particularly if the extent of the vulnerability window is significant.
