CVE-2020-11456: 
NixOS vulnerability analysis and mitigation

LimeSurvey before version 4.1.12+200324 was discovered to contain a stored Cross-Site Scripting (XSS) vulnerability in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php components, specifically in the survey groups functionality (NVD, CVE). The vulnerability was disclosed on April 1, 2020.

The vulnerability exists within the 'Survey Groups' functionality of the LimeSurvey administration panel, specifically affecting the 'title' parameter. The issue received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires low attack complexity but needs user interaction and privileged access (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts or HTML code within the context of the application. The stored XSS nature of the vulnerability means that the malicious code persists in the application and can affect multiple users who access the affected survey groups (Exploit DB).

The vulnerability was patched in LimeSurvey version 4.1.12+200324. The fix involves proper encoding of the title parameter using CHtml::encode() in the survey settings view file. Organizations should upgrade to this version or later to mitigate the vulnerability (GitHub Patch).