CVE-2021-44967: 
NixOS vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could allow a remote authenticated user with superadmin privileges to upload arbitrary PHP code files. This vulnerability was disclosed on February 24, 2022. However, this vulnerability is disputed as the vendor states that plugins intentionally can contain arbitrary PHP code and can only be installed by superadmins, therefore they consider the security model is not violated by this finding (NVD, MITRE).

The vulnerability exists in the plugin upload and installation functionality of LimeSurvey 5.2.4. An authenticated attacker with superadmin privileges can upload a malicious plugin containing arbitrary PHP code through the Configuration -> Plugins -> Upload & Install interface. Once uploaded and activated, the PHP code within the plugin can be executed on the server (GitHub, ExploitDB).

If successfully exploited, this vulnerability could allow an authenticated attacker with superadmin privileges to execute arbitrary code on the affected system, potentially leading to complete system compromise. However, the impact is limited since only superadmin users have the ability to upload and install plugins (NVD).

Since this is a disputed vulnerability where the vendor states this is intended functionality, the main mitigation is to ensure that superadmin credentials are properly secured and only trusted administrators have superadmin access. Additionally, carefully review any plugins before installation and only install plugins from trusted sources (LimeSurvey Manual).