Stored Cross-Site Scripting in LimeSurvey by LimeSurvey Group
CVE-2020-11456

5.4MEDIUM

Key Information:

Vendor

Limesurvey

Status
Limesurvey
Vendor
CVE Published:
1 April 2020

What is CVE-2020-11456?

LimeSurvey versions prior to 4.1.12+200324 contain a vulnerability that allows for stored cross-site scripting (XSS) attacks. This issue is present in the survey settings interface and within the surveys groups model, where unvalidated user input can be executed in the browser of an unsuspecting user. Attackers can exploit this vulnerability to execute arbitrary scripts within the affected users' browsers, potentially leading to session hijacking or unauthorized actions on behalf of users.

References

https://github.com/LimeSurvey/LimeSurvey/commit/04b118acc...
x_refsource_MISC
http://packetstormsecurity.com/files/157114/LimeSurvey-4....
x_refsource_MISC
https://www.exploit-db.com/exploits/48289
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.