CVE-2025-70797

| EUVD-2025-209392 MEDIUM
2026-04-09 mitre GHSA-wj23-9h6j-cj83
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 17:45 euvd
EUVD-2025-209392
Analysis Generated
Apr 09, 2026 - 17:45 vuln.today
CVE Published
Apr 09, 2026 - 00:00 nvd
MEDIUM 6.1

Tags

RCE XSS N A

Description

Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

Analysis

Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.

Technical Context

LimeSurvey is a web-based survey platform written in PHP. The vulnerability stems from improper input validation and output encoding in the Box parameter handling mechanism (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected parameters (Box[title] and box[url]) are used to render survey interface elements but are not adequately sanitized before insertion into the HTML/JavaScript context. Attack surface encompasses any LimeSurvey instance where user-supplied or attacker-controlled parameters reach the rendering engine without proper escaping. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network accessibility, low attack complexity, no privilege requirement, and user interaction requirement; the S:C (Scope Changed) rating indicates the vulnerability can affect resources beyond the vulnerable component.

Affected Products

LimeSurvey version 6.15.20+251021 is confirmed affected. The CPE data provided (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is incomplete and does not specify LimeSurvey correctly; the correct CPE should reference the LimeSurvey application directly. Based on the GitHub pull request reference (LimeSurvey/LimeSurvey#4356), the vulnerability affects LimeSurvey 6.x series at least through build 251021. The exact lower bound of affected versions (whether 6.0.0 or earlier 6.x builds are vulnerable) is not explicitly stated in the provided data; however, the notation 6.15.20+251021 suggests 6.15.20 and later builds through at least 251021 are affected. Users should consult the LimeSurvey security advisory at https://nvd.nist.gov/vuln/detail/CVE-2025-70797 and the upstream GitHub PR for comprehensive version mapping.

Remediation

Apply the upstream patch merged in LimeSurvey pull request #4356 (https://github.com/LimeSurvey/LimeSurvey/pull/4356); consult the LimeSurvey release notes to identify the earliest patched version that includes this fix and upgrade to that version or later. If immediate patching is not feasible, implement input validation and output encoding controls: ensure all Box[title] and box[url] parameters are strictly validated against a whitelist of permitted values, and HTML-encode or JavaScript-escape all user-supplied parameters before rendering them in HTML or script contexts. Web application firewall (WAF) rules can provide temporary detection of malicious Box parameter payloads (e.g., patterns containing script tags, event handlers, or JavaScript protocol schemes). For additional guidance, refer to the NVD vulnerability detail page: https://nvd.nist.gov/vuln/detail/CVE-2025-70797.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +30
POC: 0

Share

CVE-2025-70797 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy