CVE-2025-56421
Description
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in LimeSurvey statistics component before 6.15.4+250710 lets remote attackers extract sensitive database information.
Vulnerability
Overview LimeSurvey versions prior to 6.15.4+250710 contain an SQL injection vulnerability in the statistics functionality [1][2]. The flaw was identified as issue #20145 and fixed via pull request #4328 [3].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending crafted input to the statistics module [2]. The fix introduced input filtering in helpers and a 400 error response in the controller to block malicious queries [3].
Impact
Successful exploitation allows an attacker to read arbitrary data from the database, potentially compromising sensitive survey responses, user credentials, or other confidential information [2].
Mitigation
The vulnerability is patched in LimeSurvey version 6.15.4+250710. Users should upgrade immediately [1][3]. No workaround is available [1].
- GitHub - LimeSurvey/LimeSurvey: 🔥 LimeSurvey – A powerful, open-source survey platform. A free alternative to SurveyMonkey, Typeform, Qualtrics, and Google Forms, making it simple to create online surveys and forms with unmatched flexibility.
- NVD - CVE-2025-56421
- Fixed issue #20145: [Security] SQL injection in statistics (thanks to AnNguyen) by Shnoulle · Pull Request #4328 · LimeSurvey/LimeSurvey
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
limesurvey/limesurveyPackagist | < 6.15.4 | 6.15.4 |
Affected products
2- LimeSurvey/LimeSurveydescription
- Range: <6.15.4+250710
Patches
1d6c3c780cdd1Fixed issue #20145: [security] SQL injection in statistics (thanks to AnNguyen) (#4328)
2 files changed · +12 −2
application/controllers/admin/Statistics.php+5 −0 modified@@ -516,6 +516,11 @@ public function listcolumn($surveyid, $column, $sortby = "", $sortmethod = "", $ if (!Permission::model()->hasSurveyPermission($surveyid, 'statistics', 'read')) { throw new CHttpException(403, gT("You do not have permission to access this page.")); } + // Break for sortmethod bad parameter (mantis #20145) + $sortmethod = strtoupper($sortmethod); + if ($sortmethod && !in_array($sortmethod, ['ASC', 'DESC'])) { + throw new CHttpException(400, gT("Invalid request.")); + } Yii::app()->loadHelper('admin/statistics'); $helper = new statistics_helper(); $aData['data'] = $helper->_listcolumn($surveyid, $column, $sortby, $sortmethod, $sorttype);
application/helpers/admin/statistics_helper.php+7 −2 modified@@ -4219,10 +4219,15 @@ function _listcolumn($surveyid, $column, $sortby = "", $sortmethod = "", $sortty } else { $sortby = Yii::app()->db->quoteColumnName($sortby); } - + //Converts text sorting into numerical sorting if ($sorttype == 'N') { $sortby = "($sortby * 1)"; - } //Converts text sorting into numerical sorting + } + // Avoid bad sortmethod parameter (mantis #20145) + $sortmethod = strtoupper($sortmethod); + if ($sortmethod && !in_array($sortmethod, ['ASC', 'DESC'])) { + $sortmethod = ""; + } $search['order'] = $sortby . ' ' . $sortmethod; } $results = SurveyDynamic::model($surveyid)->findAll($search);
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6- github.com/advisories/GHSA-rccq-2fxq-7x3hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-56421ghsaADVISORY
- limesurvey.comghsaWEB
- github.com/LimeSurvey/LimeSurvey/commit/d6c3c780cdd17d5eef1c8c69ad0105beffa2374fghsaWEB
- github.com/LimeSurvey/LimeSurvey/pull/4328ghsaWEB
- github.com/hongancalif/security-advisories/blob/main/CVE-2025-56421.mdghsaWEB
News mentions
0No linked articles in our index yet.