Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
AnalysisAI
Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.
Technical ContextAI
LimeSurvey is a web-based survey platform written in PHP. The vulnerability stems from improper input validation and output encoding in the Box parameter handling mechanism (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected parameters (Box[title] and box[url]) are used to render survey interface elements but are not adequately sanitized before insertion into the HTML/JavaScript context. Attack surface encompasses any LimeSurvey instance where user-supplied or attacker-controlled parameters reach the rendering engine without proper escaping. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network accessibility, low attack complexity, no privilege requirement, and user interaction requirement; the S:C (Scope Changed) rating indicates the vulnerability can affect resources beyond the vulnerable component.
RemediationAI
Apply the upstream patch merged in LimeSurvey pull request #4356 (https://github.com/LimeSurvey/LimeSurvey/pull/4356); consult the LimeSurvey release notes to identify the earliest patched version that includes this fix and upgrade to that version or later. If immediate patching is not feasible, implement input validation and output encoding controls: ensure all Box[title] and box[url] parameters are strictly validated against a whitelist of permitted values, and HTML-encode or JavaScript-escape all user-supplied parameters before rendering them in HTML or script contexts. Web application firewall (WAF) rules can provide temporary detection of malicious Box parameter payloads (e.g., patterns containing script tags, event handlers, or JavaScript protocol schemes). For additional guidance, refer to the NVD vulnerability detail page: https://nvd.nist.gov/vuln/detail/CVE-2025-70797.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209392
GHSA-wj23-9h6j-cj83