Moderate severityNVD Advisory· Published Oct 7, 2024· Updated Mar 25, 2025

CVE-2024-28710

Description

Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-Site Scripting (XSS) vulnerability in LimeSurvey's Alert Widget due to insufficient input sanitization, allowing remote attackers to execute arbitrary JavaScript.

Vulnerability

Overview

A Cross-Site Scripting (XSS) vulnerability exists in LimeSurvey versions prior to 6.5.0+240319, specifically in the Alert Widget's message component. The issue arises from a lack of input validation and output encoding, allowing user-supplied data to be rendered unsanitized[1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious script and injecting it via the message parameter of the Alert Widget. The attack does not require authentication, as the widget may be accessible to unauthenticated users in certain contexts. The injected script executes in the context of the victim's browser when the alert is displayed[4].

Impact

Successful exploitation enables arbitrary code execution in the victim's browser, potentially leading to session hijacking, data theft, or defacement. The attacker could also perform actions on behalf of the victim if the application trusts the session[2][3].

Mitigation

The vulnerability has been addressed in LimeSurvey version 6.5.0+240319, with the fix implementing proper encoding using CHtml::encode() and sanitization for alert type parameters[4]. Users should upgrade immediately. For those unable to update, restricting access to the Alert Widget and applying security controls may reduce risk[1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
limesurvey/limesurveyPackagist	< 6.5.0	6.5.0

Affected products

LimeSurvey/LimeSurveydescription
osv-coords2 versions
pkg:bitnami/limesurvey pkg:composer/limesurvey/limesurvey
< 6.5.0+ 1 more
- (no CPE)range: < 6.5.0
- (no CPE)range: < 6.5.0

Patches

c2fd60f94bc1

Fixed issue #19459: [security] Potential XSS via ajaxHelper (#3781)

https://github.com/LimeSurvey/LimeSurveyDenis ChenuMar 15, 2024via ghsa

commit

1 file changed · +5 −4

application/controllers/AjaxAlertController.php+5 −4 modified

@@ -27,21 +27,22 @@ private function translateOptionsForWidget()
         $customOptions = $request->getPost('customOptions', []);
 
         $translatedOptions = [];
-        $translatedOptions['text'] = $request->getPost('message', 'message');
-        $translatedOptions['type'] = $request->getPost('alertType', 'success');
+        $translatedOptions['text'] = CHtml::encode($request->getPost('message', 'message'));
+        $translatedOptions['type'] = sanitize_alphanumeric($request->getPost('alertType', 'success'));
         $knownOptions = ['tag', 'isFilled', 'showIcon', 'showCloseButton', 'timeout'];
         foreach ($knownOptions as $knownOption) {
             if (array_key_exists($knownOption, $customOptions)) {
                 if ($knownOption == 'tag') {
-                    $translatedOptions[$knownOption] = $customOptions[$knownOption];
+                    $translatedOptions[$knownOption] = sanitize_alphanumeric($customOptions[$knownOption]);
                 } elseif ($knownOption == 'timeout') {
-                    $translatedOptions[$knownOption] = (int) $customOptions[$knownOption];
+                    $translatedOptions[$knownOption] = intval($customOptions[$knownOption]);
                 } else {
                     $translatedOptions[$knownOption] = $customOptions[$knownOption] !== 'false';
                 }
             }
         }
         if (array_key_exists('htmlOptions', $customOptions)) {
+            // htmlOptions is encoded by view
             $translatedOptions['htmlOptions'] = json_decode_ls($customOptions['htmlOptions']);
         }

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-632q-77qj-c89qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-28710ghsaADVISORY
limesurvey.comghsaWEB
github.com/LimeSurvey/LimeSurvey/commit/c2fd60f94bc1db275f20cbb27a3135a9bdfb7f10ghsaWEB
www.limesurvey.orgghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000