Cross-Site Scripting Vulnerability in LimeSurvey by LimeSurvey Group
CVE-2020-25797

5.4MEDIUM

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 31 December 2020

What is CVE-2020-25797?

LimeSurvey version 3.21.1 is susceptible to a cross-site scripting (XSS) vulnerability within the Add Participants function. This flaw allows an attacker to inject malicious JavaScript code into the first and last name parameters while editing a survey participant's details. As a result, when an administrative user edits a participant, the injected code is executed in their browser, potentially compromising sensitive data and user sessions.

References

https://bugs.limesurvey.org/view.php?id=15680

x_refsource_MISC

https://github.com/LimeSurvey/LimeSurvey/commit/0a7bdfa1c...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 31, 2020
Vulnerability Reserved
Sep 21, 2020

Limesurvey

What is CVE-2020-25797?

References

CVSS V3.1

Timeline