CVE-2020-25798

Published: Nov 17, 2020Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.

Affected (1)

Products: Limesurvey: Limesurvey

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Limesurvey Limesurvey	Up to 3.21.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://bugs.limesurvey.org/view.php?id=15672

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

https://github.com/LimeSurvey/LimeSurvey/commit/38e1ab069b538de7cb5f3a04939aba8e835640cb

Source: cve@mitre.org

PatchThird Party Advisory

https://bugs.limesurvey.org/view.php?id=15672

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

https://github.com/LimeSurvey/LimeSurvey/commit/38e1ab069b538de7cb5f3a04939aba8e835640cb

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.