Source: cve@mitre.org
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
LimeSurvey 3.21.1 is vulnerable to a cross-site scripting (XSS) attack, allowing attackers to inject malicious JavaScript code into the survey quota component. This can lead to account compromise, data theft, and website defacement by executing arbitrary code within a victim's browser, particularly targeting administrative users.
Step 1: Payload Creation: The attacker crafts a malicious JavaScript payload designed to execute in the victim's browser. This payload could be designed to steal cookies, redirect the user, or perform other malicious actions. Step 2: Payload Injection: The attacker injects the malicious JavaScript payload into a field or setting related to survey quotas within LimeSurvey. This could involve manipulating quota messages, descriptions, or other quota-related parameters. Step 3: Payload Storage: The injected payload is stored within the LimeSurvey database, associated with the survey quota configuration. Step 4: Victim Interaction: An administrative user, or any user with sufficient privileges to view the quota settings, accesses the survey quota page. This triggers the rendering of the quota information, including the attacker's injected JavaScript. Step 5: Payload Execution: The victim's browser executes the malicious JavaScript payload, allowing the attacker to perform actions on behalf of the victim.
The vulnerability stems from insufficient input validation and output encoding within the Quota component of LimeSurvey. Specifically, user-supplied data, likely related to quota settings or messages, is not properly sanitized before being rendered in the survey quota view. This allows an attacker to inject malicious JavaScript code into the HTML response. When an administrative user views the quota page, the injected JavaScript executes in their browser, enabling the attacker to steal session cookies, redirect the user to a phishing site, or modify the survey's content. The root cause is a failure to properly escape or encode user-controlled input before it is included in the HTML output, leading to a stored XSS vulnerability.
While no specific APTs are directly linked to this CVE, the ease of exploitation and potential impact (account takeover, data theft) make it attractive to various threat actors. This vulnerability could be exploited by both opportunistic attackers and more sophisticated groups. CISA KEV status: Not Listed
Monitor web server logs for unusual HTTP requests containing JavaScript code within quota-related parameters (e.g., quota messages, descriptions).
Analyze HTTP responses for the presence of unexpected JavaScript code within the survey quota pages.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads.
Monitor user activity for suspicious behavior, such as unexpected redirects or changes to user accounts.
Use a Content Security Policy (CSP) to restrict the execution of JavaScript from untrusted sources.
Upgrade to a patched version of LimeSurvey (version 3.21.2 or later).
Implement input validation to sanitize all user-supplied data before storing it in the database.
Implement output encoding to properly escape special characters in user-supplied data before rendering it in HTML.
Use a Content Security Policy (CSP) to restrict the execution of JavaScript to trusted sources.
Regularly scan the application for vulnerabilities using static and dynamic analysis tools.
Review and harden the server configuration to minimize attack surface.