Skip to main content
CVE Vulnerability Database

CVE-2024-6933: LimeSurvey SQL Injection Vulnerability

CVE-2024-6933 is a SQL injection flaw in LimeSurvey 6.5.14-240624 affecting the Survey General Settings Handler. Attackers can exploit this remotely via the Language parameter. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2024-6933 Overview

CVE-2024-6933 is a SQL injection vulnerability affecting LimeSurvey 6.5.14-240624. The flaw resides in the actionUpdateSurveyLocaleSettingsGeneralSettings function within /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings, part of the Survey General Settings Handler. Attackers with low-privileged authenticated access can manipulate the Language argument to inject arbitrary SQL statements. The issue stems from improper handling of language codes passed to the cleanLanguagesFromSurvey() helper. LimeSurvey resolved the issue in version 6.6.2+240827 via commit d656d2c7980b7642560977f4780e64533a68e13d. The vulnerability is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization).

Critical Impact

Authenticated attackers can remotely inject SQL through the Language parameter, potentially compromising survey database confidentiality and integrity.

Affected Products

  • LimeSurvey 6.5.14-240624
  • LimeSurvey versions prior to 6.6.2+240827
  • LimeSurvey Survey General Settings Handler component

Discovery Timeline

  • 2024-07-21 - CVE-2024-6933 published to NVD
  • 2024-08-27 - LimeSurvey releases fixed version 6.6.2+240827 with patch d656d2c
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2024-6933

Vulnerability Analysis

The vulnerability exists in LimeSurvey's administrative interface for updating survey locale settings. When an authenticated user submits changes through /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings, the actionUpdateSurveyLocaleSettingsGeneralSettings function processes the Language parameter without proper sanitization. The unsanitized input flows into downstream database operations, allowing attackers to break out of expected query context and append arbitrary SQL.

The attack requires only low privileges and is exploitable over the network without user interaction. Public exploit information has been published through VulDB entry 271988, increasing the likelihood of opportunistic exploitation against unpatched instances. The EPSS probability score is 0.153%.

Root Cause

The root cause is missing input validation on language codes passed to the cleanLanguagesFromSurvey() function in application/helpers/common_helper.php. The pre-patch implementation accepted the $baselang parameter directly without applying sanitize_languagecode(), allowing the parameter value to reach SQL operations that remove languages from survey tables. Attackers control the value of this parameter through the administrative form submission.

Attack Vector

An authenticated attacker with access to the survey administration interface sends a crafted POST request to the locale settings endpoint. The attacker injects SQL syntax into the Language field, which is parsed as part of the language cleanup logic. Successful exploitation can disclose, modify, or destroy survey response data and configuration stored in the LimeSurvey database.

php
 * cleanLanguagesFromSurvey() removes any languages from survey tables that are not in the passed list
 * @param string $sid - the currently selected survey
 * @param string $availlangs - space separated list of additional languages in survey
+* @param string|null $baselang - the base language to be used
 * @return void
 */
-function cleanLanguagesFromSurvey($iSurveyID, $availlangs, $baselang = null)
+function cleanLanguagesFromSurvey($iSurveyID, $availlangs, $baselang = '')
 {
     Yii::app()->loadHelper('database');
     $iSurveyID = (int) $iSurveyID;
-    $baselang = $baselang ?? Survey::model()->findByPk($iSurveyID)->language;
+    $baselang = sanitize_languagecode($baselang);
+    if (empty($baselang)) {
+        $baselang = Survey::model()->findByPk($sid)->language;
+    }
     $aLanguages = [];
     if (!empty($availlangs) && $availlangs != " ") {
         $availlangs = sanitize_languagecodeS($availlangs);

Source: LimeSurvey Commit d656d2c. The patch wraps the $baselang parameter with sanitize_languagecode() before any database operations execute.

Detection Methods for CVE-2024-6933

Indicators of Compromise

  • HTTP POST requests to /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings containing SQL metacharacters such as single quotes, UNION, SELECT, or comment markers in the Language parameter.
  • Web server access logs showing repeated requests to the locale settings endpoint from a single authenticated session.
  • Unexpected database errors or anomalous query patterns in MySQL or PostgreSQL logs originating from the LimeSurvey application user.

Detection Strategies

  • Inspect application logs for malformed Language values submitted to the survey general settings handler.
  • Deploy web application firewall rules that flag SQL syntax in fields expected to contain ISO language codes (typically 2–10 alphanumeric characters with hyphens).
  • Correlate administrative login events with subsequent locale settings modifications to identify abuse of low-privilege accounts.

Monitoring Recommendations

  • Monitor LimeSurvey administrative endpoints for parameter values that violate expected language code format.
  • Alert on database query errors generated by the LimeSurvey service account.
  • Track changes to survey language configuration outside of expected administrative workflows.

How to Mitigate CVE-2024-6933

Immediate Actions Required

  • Upgrade LimeSurvey to version 6.6.2+240827 or later, which contains the d656d2c patch.
  • Audit administrative accounts and disable or rotate credentials for unused low-privilege admin users.
  • Review recent survey locale changes for unauthorized modifications and inspect database integrity.

Patch Information

LimeSurvey released the fix in commit d656d2c7980b7642560977f4780e64533a68e13d, included in version 6.6.2+240827. The patch applies sanitize_languagecode() to the $baselang parameter in cleanLanguagesFromSurvey() within application/helpers/common_helper.php. See the LimeSurvey Commit d656d2c and download the patched release from the LimeSurvey Download Section.

Workarounds

  • Restrict access to the LimeSurvey administrative interface using network-level controls such as IP allowlisting or VPN-only access.
  • Apply a web application firewall rule that rejects requests to the locale settings endpoint when the Language parameter contains characters outside [A-Za-z0-9-].
  • Enforce the principle of least privilege for survey administrator accounts until patching is complete.
bash
# Example WAF rule (ModSecurity) restricting Language parameter format
SecRule ARGS:Language "!@rx ^[A-Za-z0-9-]{2,10}$" \
    "id:1006933,phase:2,deny,status:403,\
    msg:'CVE-2024-6933: Invalid language code in LimeSurvey locale settings'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.