Description
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://bugs.limesurvey.org/view.php?id=15681
Patch, Vendor Advisory x_refsource_misc
https://github.com/LimeSurvey/LimeSurvey/commit/a5f317817da4577d9ff457fea9c96482b3d1df23
Scores
CVSS v3
5.4
EPSS
0.0026
EPSS Percentile
49.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
limesurvey/limesurvey
3.21.1
Published
Dec 31, 2020
Tracked Since
Feb 18, 2026