Vulnerability DatabaseCVE-2024-28710

CVE-2024-28710:
PHP vulnerability analysis and mitigation

Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in LimeSurvey versions before 6.5.0+240319. The vulnerability exists due to insufficient input validation and output encoding in the Alert Widget's message component (NVD).

Technical details

The vulnerability is classified with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on both confidentiality and integrity, and no impact on availability (NVD).

Impact

The vulnerability allows remote attackers to execute arbitrary code through the Alert Widget's message component. This could lead to the execution of malicious scripts in the context of other users' browsers, potentially compromising user data and session information (NVD).

Mitigation and workarounds

The vulnerability has been fixed in LimeSurvey version 6.5.0+240319. Users are advised to upgrade to this version or later. The fix includes improved input validation and output encoding in the Alert Widget's message component (GitHub Patch).