cbcvebase.
CVE-2020-11456
published 2020-04-01

CVE-2020-11456: LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey…

PriorityP350medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
70.84%
99.3th percentile
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).

Affected

2 ranges
VendorProductVersion rangeFixed in
limesurveylimesurvey<= 4.1.11
limesurveylimesurvey

Detection & IOCsextracted from sources · hover to see the quote

url/limesurvey/index.php/admin/surveysgroups/sa/create
commandSurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E
pathapplication/views/admin/surveysgroups/surveySettings.php
pathapplication/models/SurveysGroups.php
  • Monitor HTTP POST requests to the surveysgroups create endpoint for XSS payloads (e.g., HTML tags with event handlers) in the 'title' parameter (SurveysGroups[title]).
  • Inspect POST body to /admin/surveysgroups/sa/create for URL-encoded HTML injection patterns such as %3Cimg+src%3D%2F+onerror%3D in the SurveysGroups[title] field.
  • Alert on POST requests to the LimeSurvey admin panel path /admin/surveysgroups/sa/create originating from unexpected or external sources, as exploitation requires authenticated access to the admin panel.
  • ·The vulnerability is present in LimeSurvey versions before 4.1.12+200324; ensure instances are patched to at least this version to remediate the stored XSS in survey groups.
  • ·Exploitation requires authenticated access to the LimeSurvey administration panel; the attack surface is limited to users with admin credentials, but stored XSS can subsequently affect any admin viewing the survey groups.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.