Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw that allows an attacker to execute malicious scripts in the context of a logged-in user, potentially compromising confidentiality and integrity of user data.

Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of personal or sensitive information, violating data protection and privacy requirements.

Specifically, the CVE has a CVSS score indicating impact on confidentiality and integrity, which are critical aspects of these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2025-63238 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting LimeSurvey versions prior to 6.15.11+250909. It occurs because the 'gid' parameter in the getInstance() function of application/models/QuestionCreate.php is not properly validated or sanitized.

An attacker can craft a malicious URL containing JavaScript code injected into the 'gid' parameter. When a logged-in user, such as an admin, visits this URL, the malicious script is executed in their browser, compromising their session or data.

The vulnerability arises from improper handling of the 'gid' parameter, which was previously accepted without type casting, allowing injection of malicious scripts. The fix involves casting 'gid' to an integer to prevent script injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in the context of a logged-in user's browser session.

• Compromise of user session and credentials.
• Unauthorized actions performed on behalf of the user.
• Exposure of sensitive information accessible to the user.
• Potential integrity loss of data due to injected scripts.

The vulnerability requires the user to interact with a maliciously crafted URL, and it affects confidentiality and integrity but not availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests to the endpoint /index.php/questionAdministration/create that include a suspicious or malicious payload in the gid query parameter.

For example, you can search your web server logs or use network monitoring tools to identify URLs containing script tags or unusual characters in the gid parameter.

• Use grep or similar tools on access logs to find requests with 'gid=' followed by suspicious script content, e.g.:
• grep -i 'gid=.*<script' /var/log/apache2/access.log
• Or use tools like curl to test the endpoint with a crafted payload to see if the reflected XSS occurs, for example:
• curl -i 'http://your-limesurvey-domain/index.php/questionAdministration/create?surveyid=1&gid=1}</script><script>alert(387)</script><script>x='

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade LimeSurvey to version 6.15.12+250916 or later, where the vulnerability has been fixed.

The fix involves enforcing type casting of the gid parameter to an integer to prevent injection of malicious scripts.

If upgrading immediately is not possible, consider implementing input validation or filtering on the gid parameter to ensure it only accepts integer values.

Useful 0 Not Useful 0