Vulnerability Details : CVE-2020-25797
Potential exploit
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-25797
- cpe:2.3:a:limesurvey:limesurvey:3.21.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25797
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25797
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2020-25797
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-25797
-
https://bugs.limesurvey.org/view.php?id=15680
15680: LimeSurvey 3.21.1 Cross Site Scripting Stored - LimeSurvey bugs and feature requestsExploit;Vendor Advisory
-
https://github.com/LimeSurvey/LimeSurvey/commit/0a7bdfa1c166f734d11a1528c8d9a7d61b670ad7
Fixed issue #15680: LimeSurvey 3.21.1 Cross Site Scripting Stored · LimeSurvey/LimeSurvey@0a7bdfa · GitHubPatch;Vendor Advisory
Jump to