CVE-2019-14512: 
NixOS vulnerability analysis and mitigation

LimeSurvey version 3.17.7+190627 was found to contain a Cross-Site Scripting (XSS) vulnerability. The vulnerability exists in two locations: the Boxes functionality in application/extensions/PanelBoxWidget/views/box.php and the label title in application/views/admin/labels/labelview_view.php. This vulnerability was discovered and reported by security researcher Michele Cisternino (LinkedIn Profile).

The vulnerability is a Cross-Site Scripting (XSS) issue that occurs due to insufficient encoding of user input in two specific files: box.php in the PanelBoxWidget extension and labelview_view.php in the admin labels view. The vulnerability allows for potential injection of malicious scripts through these entry points (LimeSurvey Commit, LimeSurvey Commit).

The XSS vulnerability could allow attackers to inject and execute malicious client-side scripts in the context of other users' browsers. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session.

The vulnerability has been fixed through two commits that implement proper encoding of user input. The fixes include encoding the label name and implementing proper encoding in the box.php file (LimeSurvey Commit, LimeSurvey Commit). Users should upgrade to a patched version of LimeSurvey to protect against this vulnerability.