CVE-2020-25798

Name of the Vulnerable Software and Affected Versions LimeSurvey versions prior to 3.21.1

Description A stored cross-site scripting (XSS) issue allows authenticated users with correct permissions to inject arbitrary web script or HTML via the ParticipantAttributeNamesDropdown parameter of the Attributes on the central participant database page. When a survey attribute is being edited or viewed, the JavaScript code will be executed in the browser.

Recommendations For versions prior to 3.21.1, update to a version newer than 3.21.1 to resolve the issue. As a temporary workaround, consider restricting access to the ParticipantAttributeNamesDropdown parameter to minimize the risk of exploitation.