Shnoulle

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions prior to 6.5.0+240319 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability that allows a remote attacker to execute arbitrary code. This is due to a lack of input validation and output encoding in the Alert Widget's message component. **Recommendations** For versions prior to 6.5.0+240319, update to version 6.5.0+240319 or later to resolve the issue. As a temporary workaround, consider disabling the Alert Widget's message component until a patch is available. Restrict access to the Alert Widget to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey version 4.3.2 **Description** The issue allows for reflected XSS due to a lack of validation for parameters in the application/controllers/LSBaseController.php file. **Recommendations** For LimeSurvey version 4.3.2, consider adding validation code to the LSBaseController.php file to properly check parameters and prevent XSS attacks. As a temporary workaround, restrict access to potentially vulnerable areas of the application until a proper fix can be applied.