First published: Tue Nov 17 2020(Updated: )
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Limesurvey Limesurvey | <=3.21.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25798 is a stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including version 3.21.1.
CVE-2020-25798 allows authenticated users with correct permissions to inject arbitrary web script or HTML via the parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page in LimeSurvey.
CVE-2020-25798 has a severity rating of medium with a score of 5.4.
To fix the stored cross-site scripting (XSS) vulnerability, users should update LimeSurvey to version 3.21.2 or later.
More information about CVE-2020-25798 can be found on the LimeSurvey bug tracker (https://bugs.limesurvey.org/view.php?id=15672) and the LimeSurvey GitHub repository (https://github.com/LimeSurvey/LimeSurvey/commit/38e1ab069b538de7cb5f3a04939aba8e835640cb).