CVE-2025-70797
Received Received - Intake
Cross-Site Scripting in Limesurvey Box Parameters Enables Code Execution

Publication date: 2026-04-09

Last updated on: 2026-04-16

Assigner: MITRE

Description
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70797
EUVD
EUVD-2025-209392
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
limesurvey limesurvey 6.15.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate recommended mitigation is to upgrade LimeSurvey to version 6.15.21+251028 or later, where the vulnerability has been fixed.

The fix involves applying output encoding to sanitize user inputs and outputs in the admin portal sidebar, specifically using the CHtml::encode() function to prevent script injection.

Additionally, input validation for the Box[title] and Box[url] parameters has been improved to ensure URLs conform to valid formats and titles are validated.

Until the upgrade can be applied, restrict access to the affected endpoints to trusted users only, and monitor for suspicious activity involving the Box parameters.

Executive Summary

CVE-2025-70797 is a stored Cross-Site Scripting (XSS) vulnerability in LimeSurvey version 6.15.20+251021. It allows a remote attacker with authenticated access to inject malicious JavaScript code via the Box[title] and Box[url] parameters in the admin portal sidebar.

The vulnerability occurs because user inputs for the title and URL fields are not properly sanitized, enabling attackers to embed scripts that execute when other users view the affected page.

The issue was fixed by implementing HTML encoding to sanitize outputs and improving input validation rules to prevent malicious scripts from being stored and executed.

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary JavaScript code in the context of other authenticated users viewing the affected LimeSurvey admin pages.

  • Execution of arbitrary scripts can lead to session hijacking, allowing attackers to steal user credentials or impersonate users.
  • Privilege escalation by exploiting the injected scripts to gain higher access within the application.
  • Compromise of confidentiality, integrity, and availability of the LimeSurvey system and its data.

The vulnerability requires authenticated access and user interaction, but its impact is considered high severity with a CVSS score of 8.4.

Detection Guidance

This vulnerability can be detected by testing the /index.php/homepageSettings endpoint for stored Cross-Site Scripting (XSS) in the Box[title] and Box[url] parameters.

Authenticated users can attempt to inject JavaScript payloads into the Destination URL and Title fields to see if the payload executes when viewing the /index.php/dashboard/view page.

Example proof-of-concept payloads include:

  • Destination URL: " onmouseenter="alert('dest url')" class="btn btn-g-800 btn-icon"><input type="hidden"
  • Title: New" onmouseenter="alert('title')" fix="

To detect this on your system, you can use curl or similar HTTP clients to send authenticated POST requests with these payloads to the /index.php/homepageSettings endpoint and then visit /index.php/dashboard/view to check if the JavaScript alert triggers.

Example curl command to test injection (authentication cookies or tokens required):

  • curl -X POST -d 'Box[title]=New" onmouseenter="alert(1)" fix="&Box[url]=" onmouseenter="alert(2)" class="btn btn-g-800 btn-icon"><input type="hidden"' -b 'auth_cookie=your_auth_cookie' https://your-limesurvey-domain/index.php/homepageSettings

After sending the payload, manually visit the dashboard view page to observe if the alert pop-ups appear, indicating the presence of the vulnerability.

Compliance Impact

The CVE-2025-70797 vulnerability is a stored Cross-Site Scripting (XSS) flaw that allows execution of arbitrary JavaScript code by authenticated users, potentially leading to session hijacking, privilege escalation, and unauthorized actions.

Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or disclosure of sensitive personal or health information, violating confidentiality and data protection requirements.

Specifically, the ability to execute arbitrary code in the context of authenticated users could enable attackers to compromise user sessions or escalate privileges, which undermines the integrity and confidentiality controls mandated by these regulations.

Therefore, if exploited, this vulnerability could result in non-compliance with data protection and security standards that require safeguarding against unauthorized access and ensuring data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart