Gabrieljenik

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions prior to 6.5.12+240611 **Description** A Cross Site Scripting vulnerability allows a remote attacker to execute arbitrary code via a crafted script to the `title` and `comment` fields. This issue enables the execution of arbitrary code, potentially leading to unauthorized access or control. **Recommendations** For versions prior to 6.5.12+240611, update to version 6.5.12+240611 or later to resolve the issue. As a temporary workaround, consider restricting access to the `title` and `comment` fields until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions 3.x-LTS through 3.27.18 **Description** The issue affects the "File upload question" functionality, allowing XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js. **Recommendations** For LimeSurvey versions 3.x-LTS through 3.27.18, consider disabling the "File upload question" functionality until a patch is available. Restrict access to the assets/scripts/modaldialog.js and assets/scripts/uploader.js files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.