CVE-2024-6933 Overview
CVE-2024-6933 is a SQL injection vulnerability affecting LimeSurvey 6.5.14-240624. The flaw resides in the actionUpdateSurveyLocaleSettingsGeneralSettings function within /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings, part of the Survey General Settings Handler. Attackers with low-privileged authenticated access can manipulate the Language argument to inject arbitrary SQL statements. The issue stems from improper handling of language codes passed to the cleanLanguagesFromSurvey() helper. LimeSurvey resolved the issue in version 6.6.2+240827 via commit d656d2c7980b7642560977f4780e64533a68e13d. The vulnerability is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization).
Critical Impact
Authenticated attackers can remotely inject SQL through the Language parameter, potentially compromising survey database confidentiality and integrity.
Affected Products
- LimeSurvey 6.5.14-240624
- LimeSurvey versions prior to 6.6.2+240827
- LimeSurvey Survey General Settings Handler component
Discovery Timeline
- 2024-07-21 - CVE-2024-6933 published to NVD
- 2024-08-27 - LimeSurvey releases fixed version 6.6.2+240827 with patch d656d2c
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2024-6933
Vulnerability Analysis
The vulnerability exists in LimeSurvey's administrative interface for updating survey locale settings. When an authenticated user submits changes through /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings, the actionUpdateSurveyLocaleSettingsGeneralSettings function processes the Language parameter without proper sanitization. The unsanitized input flows into downstream database operations, allowing attackers to break out of expected query context and append arbitrary SQL.
The attack requires only low privileges and is exploitable over the network without user interaction. Public exploit information has been published through VulDB entry 271988, increasing the likelihood of opportunistic exploitation against unpatched instances. The EPSS probability score is 0.153%.
Root Cause
The root cause is missing input validation on language codes passed to the cleanLanguagesFromSurvey() function in application/helpers/common_helper.php. The pre-patch implementation accepted the $baselang parameter directly without applying sanitize_languagecode(), allowing the parameter value to reach SQL operations that remove languages from survey tables. Attackers control the value of this parameter through the administrative form submission.
Attack Vector
An authenticated attacker with access to the survey administration interface sends a crafted POST request to the locale settings endpoint. The attacker injects SQL syntax into the Language field, which is parsed as part of the language cleanup logic. Successful exploitation can disclose, modify, or destroy survey response data and configuration stored in the LimeSurvey database.
* cleanLanguagesFromSurvey() removes any languages from survey tables that are not in the passed list
* @param string $sid - the currently selected survey
* @param string $availlangs - space separated list of additional languages in survey
+* @param string|null $baselang - the base language to be used
* @return void
*/
-function cleanLanguagesFromSurvey($iSurveyID, $availlangs, $baselang = null)
+function cleanLanguagesFromSurvey($iSurveyID, $availlangs, $baselang = '')
{
Yii::app()->loadHelper('database');
$iSurveyID = (int) $iSurveyID;
- $baselang = $baselang ?? Survey::model()->findByPk($iSurveyID)->language;
+ $baselang = sanitize_languagecode($baselang);
+ if (empty($baselang)) {
+ $baselang = Survey::model()->findByPk($sid)->language;
+ }
$aLanguages = [];
if (!empty($availlangs) && $availlangs != " ") {
$availlangs = sanitize_languagecodeS($availlangs);
Source: LimeSurvey Commit d656d2c. The patch wraps the $baselang parameter with sanitize_languagecode() before any database operations execute.
Detection Methods for CVE-2024-6933
Indicators of Compromise
- HTTP POST requests to /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings containing SQL metacharacters such as single quotes, UNION, SELECT, or comment markers in the Language parameter.
- Web server access logs showing repeated requests to the locale settings endpoint from a single authenticated session.
- Unexpected database errors or anomalous query patterns in MySQL or PostgreSQL logs originating from the LimeSurvey application user.
Detection Strategies
- Inspect application logs for malformed Language values submitted to the survey general settings handler.
- Deploy web application firewall rules that flag SQL syntax in fields expected to contain ISO language codes (typically 2–10 alphanumeric characters with hyphens).
- Correlate administrative login events with subsequent locale settings modifications to identify abuse of low-privilege accounts.
Monitoring Recommendations
- Monitor LimeSurvey administrative endpoints for parameter values that violate expected language code format.
- Alert on database query errors generated by the LimeSurvey service account.
- Track changes to survey language configuration outside of expected administrative workflows.
How to Mitigate CVE-2024-6933
Immediate Actions Required
- Upgrade LimeSurvey to version 6.6.2+240827 or later, which contains the d656d2c patch.
- Audit administrative accounts and disable or rotate credentials for unused low-privilege admin users.
- Review recent survey locale changes for unauthorized modifications and inspect database integrity.
Patch Information
LimeSurvey released the fix in commit d656d2c7980b7642560977f4780e64533a68e13d, included in version 6.6.2+240827. The patch applies sanitize_languagecode() to the $baselang parameter in cleanLanguagesFromSurvey() within application/helpers/common_helper.php. See the LimeSurvey Commit d656d2c and download the patched release from the LimeSurvey Download Section.
Workarounds
- Restrict access to the LimeSurvey administrative interface using network-level controls such as IP allowlisting or VPN-only access.
- Apply a web application firewall rule that rejects requests to the locale settings endpoint when the Language parameter contains characters outside [A-Za-z0-9-].
- Enforce the principle of least privilege for survey administrator accounts until patching is complete.
# Example WAF rule (ModSecurity) restricting Language parameter format
SecRule ARGS:Language "!@rx ^[A-Za-z0-9-]{2,10}$" \
"id:1006933,phase:2,deny,status:403,\
msg:'CVE-2024-6933: Invalid language code in LimeSurvey locale settings'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
