CVE-2024-28709
📋 TL;DR
A Cross-Site Scripting (XSS) vulnerability in LimeSurvey allows attackers to inject malicious scripts into title and comment fields. When executed, these scripts can steal session cookies, redirect users, or perform actions on their behalf. This affects all LimeSurvey instances running versions before 6.5.12+240611.
💻 Affected Systems
- LimeSurvey
📦 What is this software?
Limesurvey by Limesurvey
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain administrative access, install backdoors, exfiltrate survey data, or compromise the entire server if combined with other vulnerabilities.
Likely Case
Attackers inject malicious scripts that steal user session cookies, redirect users to phishing sites, or perform unauthorized actions within the survey application.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing any impact.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The vulnerability requires no authentication and exploitation is straightforward via crafted input in title/comment fields.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.12+240611
Vendor Advisory: https://github.com/LimeSurvey/LimeSurvey/commit/c844c4fba81cc26ffe6544bf095bad6252910bc0
Restart Required: No
Instructions:
1. Backup your LimeSurvey installation and database. 2. Download version 6.5.12+240611 or later from the official LimeSurvey website. 3. Replace the existing installation files with the updated version. 4. Clear browser caches and test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize title and comment fields by removing or encoding HTML/JavaScript content.
Modify LimeSurvey source code to add input sanitization functions for title and comment fields
Content Security Policy (CSP)
allImplement a strict CSP header to prevent execution of inline scripts and restrict script sources to trusted domains only.
Add 'Content-Security-Policy: script-src 'self';' to web server configuration
🧯 If You Can't Patch
- Disable or restrict access to title and comment input fields through application configuration or web server rules.
- Implement a Web Application Firewall (WAF) with XSS protection rules to filter malicious input before it reaches the application.
🔍 How to Verify
Check if Vulnerable:
Check your LimeSurvey version in the administration panel or by examining the application files. If version is below 6.5.12+240611, you are vulnerable.Check Version:
Check LimeSurvey admin panel or examine the file /application/config/version.php for version information.Verify Fix Applied:
After patching, verify the version shows 6.5.12+240611 or higher. Test by attempting to inject basic XSS payloads into title/comment fields to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to title/comment endpoints with script tags or JavaScript code
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing malicious script payloads in title or comment parameters
- Unexpected outbound connections from user browsers after visiting survey pages
SIEM Query:
source="web_server" AND (http_method="POST" AND (uri_path="*title*" OR uri_path="*comment*") AND (request_body="*<script>*" OR request_body="*javascript:*"))