CVE-2025-63238
Reflected XSS in LimeSurvey QuestionCreate.php Allows Account Compromise
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| limesurvey | limesurvey | to 6.15.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected Cross-Site Scripting (XSS) flaw that allows an attacker to execute malicious scripts in the context of a logged-in user, potentially compromising confidentiality and integrity of user data.
Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of personal or sensitive information, violating data protection and privacy requirements.
Specifically, the CVE has a CVSS score indicating impact on confidentiality and integrity, which are critical aspects of these regulations.
Can you explain this vulnerability to me?
CVE-2025-63238 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting LimeSurvey versions prior to 6.15.11+250909. It occurs because the 'gid' parameter in the getInstance() function of application/models/QuestionCreate.php is not properly validated or sanitized.
An attacker can craft a malicious URL containing JavaScript code injected into the 'gid' parameter. When a logged-in user, such as an admin, visits this URL, the malicious script is executed in their browser, compromising their session or data.
The vulnerability arises from improper handling of the 'gid' parameter, which was previously accepted without type casting, allowing injection of malicious scripts. The fix involves casting 'gid' to an integer to prevent script injection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in the context of a logged-in user's browser session.
- Compromise of user session and credentials.
- Unauthorized actions performed on behalf of the user.
- Exposure of sensitive information accessible to the user.
- Potential integrity loss of data due to injected scripts.
The vulnerability requires the user to interact with a maliciously crafted URL, and it affects confidentiality and integrity but not availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests to the endpoint /index.php/questionAdministration/create that include a suspicious or malicious payload in the gid query parameter.
For example, you can search your web server logs or use network monitoring tools to identify URLs containing script tags or unusual characters in the gid parameter.
- Use grep or similar tools on access logs to find requests with 'gid=' followed by suspicious script content, e.g.:
- grep -i 'gid=.*<script' /var/log/apache2/access.log
- Or use tools like curl to test the endpoint with a crafted payload to see if the reflected XSS occurs, for example:
- curl -i 'http://your-limesurvey-domain/index.php/questionAdministration/create?surveyid=1&gid=1}</script><script>alert(387)</script><script>x='
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LimeSurvey to version 6.15.12+250916 or later, where the vulnerability has been fixed.
The fix involves enforcing type casting of the gid parameter to an integer to prevent injection of malicious scripts.
If upgrading immediately is not possible, consider implementing input validation or filtering on the gid parameter to ensure it only accepts integer values.