{"api_version":"1","generated_at":"2026-05-13T21:15:34+00:00","cve":"CVE-2020-25799","urls":{"html":"https://cve.report/CVE-2020-25799","api":"https://cve.report/api/cve/CVE-2020-25799.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25799","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25799"},"summary":{"title":"CVE-2020-25799","description":"LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-12-31 18:15:00","updated_at":"2021-01-05 13:40:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://bugs.limesurvey.org/view.php?id=15681","name":"https://bugs.limesurvey.org/view.php?id=15681","refsource":"MISC","tags":["Exploit","Vendor Advisory"],"title":"15681: LimeSurvey 3.21.1 Cross Site Scripting Stored - LimeSurvey bugs and feature requests","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/LimeSurvey/LimeSurvey/commit/a5f317817da4577d9ff457fea9c96482b3d1df23","name":"https://github.com/LimeSurvey/LimeSurvey/commit/a5f317817da4577d9ff457fea9c96482b3d1df23","refsource":"MISC","tags":["Patch","Vendor Advisory"],"title":"Fixed issue #15681: LimeSurvey 3.21.1 Cross Site Scripting Stored · LimeSurvey/LimeSurvey@a5f3178 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25799","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25799","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"25799","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"limesurvey","cpe5":"limesurvey","cpe6":"3.21.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25799","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"limesurvey","cpe5":"limesurvey","cpe6":"3.21.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-25799","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://bugs.limesurvey.org/view.php?id=15681","refsource":"MISC","name":"https://bugs.limesurvey.org/view.php?id=15681"},{"url":"https://github.com/LimeSurvey/LimeSurvey/commit/a5f317817da4577d9ff457fea9c96482b3d1df23","refsource":"MISC","name":"https://github.com/LimeSurvey/LimeSurvey/commit/a5f317817da4577d9ff457fea9c96482b3d1df23"}]}},"nvd":{"publishedDate":"2020-12-31 18:15:00","lastModifiedDate":"2021-01-05 13:40:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:limesurvey:limesurvey:3.21.1:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25799","Ordinal":"187217","Title":"CVE-2020-25799","CVE":"CVE-2020-25799","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25799","Ordinal":"1","NoteData":"LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"25799","Ordinal":"2","NoteData":"2020-12-31","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"25799","Ordinal":"3","NoteData":"2020-12-31","Type":"Other","Title":"Modified"}]}}}