Guram Javakhishvili

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions prior to 3.21.1 **Description** A stored cross-site scripting (XSS) issue allows authenticated users with correct permissions to inject arbitrary web script or HTML via the `ParticipantAttributeNamesDropdown` parameter of the Attributes on the central participant database page. When a survey attribute is being edited or viewed, the JavaScript code will be executed in the browser. **Recommendations** For versions prior to 3.21.1, update to a version newer than 3.21.1 to resolve the issue. As a temporary workaround, consider restricting access to the `ParticipantAttributeNamesDropdown` parameter to minimize the risk of exploitation.