CVE-2021-42112
Description
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LimeSurvey 3.x-LTS up to 3.27.18 has a stored XSS in File Upload question type via unsafe eval in JavaScript.
Vulnerability
LimeSurvey 3.x-LTS through version 3.27.18 contains a stored cross-site scripting (XSS) vulnerability in the "File upload" question type. The issue resides in the JavaScript files assets/scripts/modaldialog.js and assets/scripts/uploader.js, which use the eval() function to parse JSON data returned from the server. This allows an attacker to inject arbitrary JavaScript code that is executed when the malicious data is processed [1][2].
Exploitation
An attacker must be able to create or edit a survey containing a file upload question. They can inject malicious script into the JSON data associated with uploaded files (e.g., via a crafted file name or metadata). When an administrator or respondent views the survey results or the file list, the injected script executes in their browser [4]. No user interaction beyond viewing the affected page is required.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the LimeSurvey application. This can lead to session hijacking, theft of sensitive data, defacement, or unauthorized actions on behalf of the victim [1][2].
Mitigation
The vulnerability was fixed in commit d56619a50cfd191bbffd0adb660638a5e438070d by replacing eval() with JSON.parse() [4]. Users should upgrade to LimeSurvey version later than 3.27.18, or apply the patch manually. No official workaround is available, and the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
limesurvey/limesurveyPackagist | < 3.27.19 | 3.27.19 |
Affected products
3- LimeSurvey/LimeSurveydescription
- osv-coords2 versions
>= 3.0.0, < 3.27.19+ 1 more
- (no CPE)range: >= 3.0.0, < 3.27.19
- (no CPE)range: < 3.27.19
Patches
1d56619a50cfdFixed issue #17562: XSS injection in the 'File upload' question type in LimeSurvey version 3.x-LTS (#2044)
2 files changed · +8 −2
assets/scripts/modaldialog.js+4 −1 modified@@ -103,7 +103,10 @@ function displayUploadedFiles(jsonstring, filecount, fieldname, show_title, show if (jsonstring !== '') { - jsonobj = eval('(' + jsonstring + ')'); + var jsonobj = ''; + try{ + jsonobj = JSON.parse(jsonstring); + } catch(e) {} display = '<table width="100%" class="question uploadedfiles"><thead><tr><td width="20%"> </td>'; if (show_title != 0) display += '<th>'+uploadLang.headTitle+'</th>';
assets/scripts/uploader.js+4 −1 modified@@ -38,7 +38,10 @@ function doFileUpload() if (filecount > 0) { var jsontext = window.parent.window.$('#' + fieldname).val(); - var json = eval('(' + jsontext + ')'); + var json = ''; + try{ + json = JSON.parse(jsontext); + } catch(e) {} if ($('#field' + fieldname + '_listfiles').length == 0) { $("<ul id='field" + fieldname + "_listfiles' class='files-list' />").insertAfter("#uploadstatus");
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6- github.com/advisories/GHSA-h9ph-jcgh-gf69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-42112ghsaADVISORY
- bugs.limesurvey.org/view.phpghsax_refsource_MISCWEB
- github.com/LimeSurvey/LimeSurvey/commit/d56619a50cfd191bbffd0adb660638a5e438070dghsax_refsource_MISCWEB
- github.com/LimeSurvey/LimeSurvey/pull/2044ghsaWEB
- www.on-x.com/sites/default/files/on-x_-_security_advisory_-_limesurvey_-_cve-2021-42112.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.