CVE-2024-6933

Name of the Vulnerable Software and Affected Versions LimeSurvey version 6.5.14-240624

Description A critical issue has been found, affecting the function actionUpdateSurveyLocaleSettingsGeneralSettings of the component Survey General Settings Handler, located in the file "/index.php?r=admin/database/index/updatesurveylocalesettings generalsettings". The manipulation of the language argument leads to sql injection. This issue can be exploited remotely. The exploit has been disclosed to the public.

Recommendations For LimeSurvey version 6.5.14-240624, as a temporary workaround, consider disabling the actionUpdateSurveyLocaleSettingsGeneralSettings function until a patch is available. Restrict access to the "/index.php?r=admin/database/index/updatesurveylocalesettings generalsettings" endpoint to minimize the risk of exploitation. Avoid using the language argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.