Skip to main content

Limesurvey EUVDEUVD-2025-209392

| CVE-2025-70797 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-09 mitre GHSA-wj23-9h6j-cj83
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 17:45 euvd
EUVD-2025-209392
Analysis Generated
Apr 09, 2026 - 17:45 vuln.today
CVE Published
Apr 09, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

AnalysisAI

Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.

Technical ContextAI

LimeSurvey is a web-based survey platform written in PHP. The vulnerability stems from improper input validation and output encoding in the Box parameter handling mechanism (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected parameters (Box[title] and box[url]) are used to render survey interface elements but are not adequately sanitized before insertion into the HTML/JavaScript context. Attack surface encompasses any LimeSurvey instance where user-supplied or attacker-controlled parameters reach the rendering engine without proper escaping. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network accessibility, low attack complexity, no privilege requirement, and user interaction requirement; the S:C (Scope Changed) rating indicates the vulnerability can affect resources beyond the vulnerable component.

RemediationAI

Apply the upstream patch merged in LimeSurvey pull request #4356 (https://github.com/LimeSurvey/LimeSurvey/pull/4356); consult the LimeSurvey release notes to identify the earliest patched version that includes this fix and upgrade to that version or later. If immediate patching is not feasible, implement input validation and output encoding controls: ensure all Box[title] and box[url] parameters are strictly validated against a whitelist of permitted values, and HTML-encode or JavaScript-escape all user-supplied parameters before rendering them in HTML or script contexts. Web application firewall (WAF) rules can provide temporary detection of malicious Box parameter payloads (e.g., patterns containing script tags, event handlers, or JavaScript protocol schemes). For additional guidance, refer to the NVD vulnerability detail page: https://nvd.nist.gov/vuln/detail/CVE-2025-70797.

Share

EUVD-2025-209392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy