Skip to main content

Limesurvey CVE-2024-28710

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-10-07 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 07, 2024 - 16:15 nvd
MEDIUM 6.1

DescriptionNVD

Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

AnalysisAI

Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component. Affected products include: Limesurvey. Version information: before 6.5.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-11455 CRITICAL POC
9.8 Apr 01

LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileM

CVE-2019-9960 CRITICAL POC
9.8 Mar 24

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relati

CVE-2018-17057 CRITICAL POC
9.8 Sep 14

An issue was discovered in TCPDF before 6.2.22. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-42902 HIGH POC
8.8 Sep 03

An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via

CVE-2024-39063 HIGH POC
8.8 Jul 09

Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerabi

CVE-2012-4927 HIGH POC
7.5 Sep 15

SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attack

CVE-2014-5017 HIGH POC
7.5 Jul 21

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 14

CVE-2022-43279 HIGH POC
7.2 Nov 15

LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/th

CVE-2024-24506 MEDIUM POC
6.1 Apr 03

Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attacke

CVE-2021-42112 MEDIUM POC
6.1 Oct 08

The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.

CVE-2019-17660 MEDIUM POC
6.1 Oct 16

A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier

CVE-2025-56422 CRITICAL
9.8 Mar 10

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

Share

CVE-2024-28710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy