First published: Thu Dec 31 2020(Updated: )
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Limesurvey Limesurvey | =3.21.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25797 is a vulnerability in LimeSurvey version 3.21.1 that allows for cross-site scripting (XSS) attacks in the Add Participants function.
CVE-2020-25797 allows an attacker to execute JavaScript code in the browser when editing a survey participant's first and last name.
The severity of CVE-2020-25797 is medium, with a CVSS score of 5.4.
To fix CVE-2020-25797, update LimeSurvey to a version that has implemented the necessary security patches (e.g., version 3.21.2 or later).
You can find more information about CVE-2020-25797 in the LimeSurvey bug tracker (https://bugs.limesurvey.org/view.php?id=15680) and the LimeSurvey GitHub repository (https://github.com/LimeSurvey/LimeSurvey/commit/0a7bdfa1c166f734d11a1528c8d9a7d61b670ad7).