CVE-2020-25798
Summary
| CVE | CVE-2020-25798 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-11-17 15:15:00 UTC |
| Updated | 2020-11-27 14:37:00 UTC |
| Description | A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Limesurvey | Limesurvey | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Fixed issue #15672: LimeSurvey 3.21.1 Cross Site Scripting · LimeSurvey/LimeSurvey@38e1ab0 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| 15672: LimeSurvey 3.21.1 Cross Site Scripting - LimeSurvey bugs and feature requests | MISC | bugs.limesurvey.org | Exploit, Issue Tracking, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.