CVE-2020-36993 Overview
CVE-2020-36993 is a stored cross-site scripting (XSS) vulnerability in LimeSurvey 4.3.10, an open-source online survey application. The flaw resides in the Survey Menu functionality of the administration panel. Attackers with low-privilege authenticated access can inject malicious SVG-based JavaScript payloads through the Surveymenu[title] and Surveymenu[parent_id] parameters. When other administrators view the affected menu, the injected scripts execute in their browser context. This vulnerability is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in administrator browsers, enabling session hijacking, privileged action abuse, and persistent compromise of the LimeSurvey administration interface.
Affected Products
- LimeSurvey 4.3.10 and earlier 4.x releases
- LimeSurvey installations exposing the administration panel to multiple users
- Deployments running the unpatched SurveymenuController and UserManagementController components
Discovery Timeline
- 2026-01-28 - CVE-2020-36993 published to NVD
- 2026-02-02 - Last updated in NVD database
Technical Details for CVE-2020-36993
Vulnerability Analysis
The vulnerability exists in the Survey Menu administration workflow within LimeSurvey 4.3.10. When an authenticated user submits a new or edited survey menu entry, the Surveymenu[title] and Surveymenu[parent_id] POST parameters are stored in the database without HTML sanitization. The values are later rendered into administrative pages without proper encoding. An attacker can submit an SVG element containing event handlers or <script> tags as the title value. When any administrator browses the Survey Menu interface, the payload executes under the application origin. The attack vector is network-based and requires low privileges plus user interaction by another administrator.
Root Cause
The root cause is missing input neutralization in application/controllers/admin/SurveymenuController.php and application/controllers/UserManagementController.php. User-supplied fields including title, description, and full_name were persisted directly into application storage without passing through the flattenText() sanitization helper. Output rendering layers also failed to escape these stored values, completing the stored XSS chain.
Attack Vector
An attacker with an authenticated low-privileged LimeSurvey account submits a crafted POST request to the survey menu endpoint with an SVG-based JavaScript payload in Surveymenu[title]. The payload persists in the database. A higher-privileged administrator triggers execution by visiting the menu management view, allowing the attacker to hijack the session or perform privileged actions.
// Security patch in application/controllers/admin/SurveymenuController.php
// Sanitizes user input via flattenText() before persistence
$success = false;
if (Yii::app()->request->isPostRequest) {
$aSurveymenu = Yii::app()->request->getPost('Surveymenu', []);
// Sanitize title and description to prevent XSS attack
if (isset($aSurveymenu['title'])) {
$aSurveymenu['title'] = flattenText($aSurveymenu['title'], false, true);
}
if (isset($aSurveymenu['description'])) {
$aSurveymenu['description'] = flattenText($aSurveymenu['description'], false, true);
}
if ($aSurveymenu['id'] == '') {
unset($aSurveymenu['id']);
$aSurveymenu['created_at'] = date('Y-m-d H:i:s');
Source: LimeSurvey GitHub commit 3712854
Detection Methods for CVE-2020-36993
Indicators of Compromise
- Survey menu records containing <svg>, <script>, onload=, or onerror= tokens in the title, description, or parent_id fields.
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after visiting /admin/surveymenu pages.
- Unexpected administrator account modifications or new account creation following a low-privilege user editing a survey menu.
Detection Strategies
- Query the surveymenu database table for entries with HTML tags or JavaScript event handler attributes in stored text columns.
- Inspect web server access logs for POST requests to /index.php?r=admin/surveymenu containing URL-encoded < or script characters.
- Review LimeSurvey audit logs for survey menu creation or update events performed by non-administrator accounts.
Monitoring Recommendations
- Enable LimeSurvey's audit logging plugin and forward events to a centralized log management platform.
- Deploy a web application firewall (WAF) rule that inspects POST bodies submitted to LimeSurvey admin endpoints for XSS signatures.
- Monitor administrator session activity for anomalous API calls, such as unsolicited user creation or permission changes after menu page visits.
How to Mitigate CVE-2020-36993
Immediate Actions Required
- Upgrade LimeSurvey to a version that includes commit 3712854a8fd8d875c67640969a1d54c4d93d3676 or later.
- Audit existing surveymenu and user profile records for stored HTML or JavaScript payloads and sanitize them.
- Restrict survey menu management permissions to trusted administrators only, removing the privilege from general operator accounts.
Patch Information
LimeSurvey addressed the issue in commit 3712854a8fd8d875c67640969a1d54c4d93d3676, which routes the title, description, and full_name fields through the flattenText() helper to strip HTML and script content prior to database persistence. Review the LimeSurvey patch commit and the VulnCheck advisory for full technical details. A public proof of concept is documented in Exploit-DB entry 48762.
Workarounds
- Place LimeSurvey administration paths behind an authenticated reverse proxy or VPN, limiting access to a known set of administrators.
- Implement a strict Content Security Policy (CSP) header that disallows inline scripts and untrusted SVG sources on admin pages.
- Apply WAF signatures that block requests where Surveymenu[title] or Surveymenu[parent_id] parameters contain HTML markup.
# Example nginx CSP header for LimeSurvey admin paths
location /index.php {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
