PT-2024-22532 · Unknown · Limesurvey
Shnoulle
·
Published
2024-10-07
·
Updated
2024-10-16
·
CVE-2024-28710
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
LimeSurvey versions prior to 6.5.0+240319
Description
The issue is related to a Cross Site Scripting (XSS) vulnerability that allows a remote attacker to execute arbitrary code. This is due to a lack of input validation and output encoding in the Alert Widget's message component.
Recommendations
For versions prior to 6.5.0+240319, update to version 6.5.0+240319 or later to resolve the issue.
As a temporary workaround, consider disabling the Alert Widget's message component until a patch is available.
Restrict access to the Alert Widget to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Limesurvey