CVE-2014-5018

Name of the Vulnerable Software and Affected Versions LimeSurvey versions 2.05 and later

Description The issue is related to an incomplete blacklist vulnerability in the autoEscape function. This allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to "index.php", specifically when resuming a survey.

Recommendations For LimeSurvey versions 2.05 and later, consider restricting access to the loadname parameter in the "index.php" endpoint until a patch is available. As a temporary workaround, avoid using the GBK charset in the loadname parameter to minimize the risk of exploitation.