CVE-2022-48010

Name of the Vulnerable Software and Affected Versions LimeSurvey version 5.4.15

Description A stored cross-site scripting (XSS) issue was discovered in the component "/index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts". This issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Welcome-message text fields. The vendor disputes this as a vulnerability, citing that manipulation requires Superadministrator privileges, which already allow customization with JavaScript.

Recommendations For LimeSurvey version 5.4.15, consider restricting access to the /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts component to minimize the risk of exploitation. As a temporary workaround, consider disabling the ability to inject custom JavaScript in the Description and Welcome-message text fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.