CVE-2025-70797
Cross-Site Scripting in Limesurvey Box Parameters Enables Code Execution
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| limesurvey | limesurvey | 6.15.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to upgrade LimeSurvey to version 6.15.21+251028 or later, where the vulnerability has been fixed.
The fix involves applying output encoding to sanitize user inputs and outputs in the admin portal sidebar, specifically using the CHtml::encode() function to prevent script injection.
Additionally, input validation for the Box[title] and Box[url] parameters has been improved to ensure URLs conform to valid formats and titles are validated.
Until the upgrade can be applied, restrict access to the affected endpoints to trusted users only, and monitor for suspicious activity involving the Box parameters.
Can you explain this vulnerability to me?
CVE-2025-70797 is a stored Cross-Site Scripting (XSS) vulnerability in LimeSurvey version 6.15.20+251021. It allows a remote attacker with authenticated access to inject malicious JavaScript code via the Box[title] and Box[url] parameters in the admin portal sidebar.
The vulnerability occurs because user inputs for the title and URL fields are not properly sanitized, enabling attackers to embed scripts that execute when other users view the affected page.
The issue was fixed by implementing HTML encoding to sanitize outputs and improving input validation rules to prevent malicious scripts from being stored and executed.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary JavaScript code in the context of other authenticated users viewing the affected LimeSurvey admin pages.
- Execution of arbitrary scripts can lead to session hijacking, allowing attackers to steal user credentials or impersonate users.
- Privilege escalation by exploiting the injected scripts to gain higher access within the application.
- Compromise of confidentiality, integrity, and availability of the LimeSurvey system and its data.
The vulnerability requires authenticated access and user interaction, but its impact is considered high severity with a CVSS score of 8.4.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /index.php/homepageSettings endpoint for stored Cross-Site Scripting (XSS) in the Box[title] and Box[url] parameters.
Authenticated users can attempt to inject JavaScript payloads into the Destination URL and Title fields to see if the payload executes when viewing the /index.php/dashboard/view page.
Example proof-of-concept payloads include:
- Destination URL: " onmouseenter="alert('dest url')" class="btn btn-g-800 btn-icon"><input type="hidden"
- Title: New" onmouseenter="alert('title')" fix="
To detect this on your system, you can use curl or similar HTTP clients to send authenticated POST requests with these payloads to the /index.php/homepageSettings endpoint and then visit /index.php/dashboard/view to check if the JavaScript alert triggers.
Example curl command to test injection (authentication cookies or tokens required):
- curl -X POST -d 'Box[title]=New" onmouseenter="alert(1)" fix="&Box[url]=" onmouseenter="alert(2)" class="btn btn-g-800 btn-icon"><input type="hidden"' -b 'auth_cookie=your_auth_cookie' https://your-limesurvey-domain/index.php/homepageSettings
After sending the payload, manually visit the dashboard view page to observe if the alert pop-ups appear, indicating the presence of the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2025-70797 vulnerability is a stored Cross-Site Scripting (XSS) flaw that allows execution of arbitrary JavaScript code by authenticated users, potentially leading to session hijacking, privilege escalation, and unauthorized actions.
Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or disclosure of sensitive personal or health information, violating confidentiality and data protection requirements.
Specifically, the ability to execute arbitrary code in the context of authenticated users could enable attackers to compromise user sessions or escalate privileges, which undermines the integrity and confidentiality controls mandated by these regulations.
Therefore, if exploited, this vulnerability could result in non-compliance with data protection and security standards that require safeguarding against unauthorized access and ensuring data integrity.