CVE-2020-25797

Step 1: Payload Delivery: An attacker crafts a malicious JavaScript payload (e.g., <script>alert('XSS')</script>) and inserts it into the 'First Name' or 'Last Name' field when adding a new participant or editing an existing one. Step 2: Data Storage: The malicious payload is stored in the LimeSurvey database associated with the participant's record. Step 3: Administrative Access: An administrative user accesses the participant management section of LimeSurvey, either viewing or editing the participant record containing the malicious payload. Step 4: Payload Execution: The application renders the participant's details, including the unsanitized 'First Name' or 'Last Name' field. The browser executes the injected JavaScript payload within the context of the administrator's session. Step 5: Exploitation: The attacker's JavaScript payload executes, enabling various attacks such as cookie theft, session hijacking, or redirection to a malicious website.

The vulnerability stems from insufficient input validation and output encoding within the 'Add Participants' function of LimeSurvey. Specifically, the application fails to properly sanitize user-supplied input (first and last name parameters) before rendering it in the browser. This allows an attacker to inject malicious JavaScript code within these fields. When an administrative user views or edits a participant record containing the malicious payload, the injected JavaScript executes in the context of the user's browser, enabling a range of attacks. The root cause is a lack of HTML encoding or input sanitization on the user-provided data, leading to reflected XSS.