CVE-2025-63238 Overview
A Reflected Cross-Site Scripting (XSS) vulnerability affects LimeSurvey versions prior to 6.15.11+250909, caused by insufficient validation of the gid parameter in the getInstance() function within application/models/QuestionCreate.php. This flaw allows attackers to craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript code in the context of their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions.
Critical Impact
Attackers can compromise authenticated LimeSurvey users by tricking them into clicking specially crafted URLs, enabling session hijacking, data theft, and unauthorized survey manipulation.
Affected Products
- LimeSurvey versions prior to 6.15.11+250909
Discovery Timeline
- 2026-04-09 - CVE CVE-2025-63238 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-63238
Vulnerability Analysis
The vulnerability exists in the QuestionCreate.php model file within LimeSurvey's application layer. The getInstance() function retrieves the gid parameter directly from user-supplied input without proper type casting or sanitization. This unsanitized parameter is then processed by the application, creating a vector for reflected XSS attacks where malicious JavaScript can be injected through the URL and reflected back to the user's browser.
The lack of input validation allows attackers to bypass the application's intended data flow and inject script content that executes within the security context of the LimeSurvey application. Since this affects authenticated users, successful exploitation could lead to session token theft, CSRF token extraction, or the ability to perform actions on behalf of the compromised user.
Root Cause
The root cause is improper input validation of the gid parameter in application/models/QuestionCreate.php. The application accepts the gid parameter as a string from user input without enforcing integer type casting, allowing injection of malicious payloads that are reflected in the response without proper encoding or sanitization.
Attack Vector
An attacker exploits this vulnerability by crafting a malicious URL containing JavaScript code in the gid parameter. When an authenticated LimeSurvey administrator or user clicks this link, the injected script executes in their browser session. The attack requires user interaction (clicking the malicious link) but no authentication from the attacker's perspective.
Attack scenarios include:
- Phishing emails to LimeSurvey administrators containing malicious links
- Social engineering attacks targeting survey creators
- Forum or comment spam with embedded malicious URLs
// Security patch in application/models/QuestionCreate.php
// Fixed issue #20239: [security] Reflected Cross-Site Scripting (#4428)
if (empty($oSurvey)) {
throw new Exception('Found no survey with id ' . json_encode($iSurveyId));
}
- $gid = Yii::app()->request->getParam('gid', 0);
+ $gid = (int)Yii::app()->request->getParam('gid', 0);
if ($gid == 0) {
$gid = array_values($oSurvey->groups)[0]->gid;
}
Source: GitHub LimeSurvey Commit
Detection Methods for CVE-2025-63238
Indicators of Compromise
- Suspicious URLs containing JavaScript code or encoded script payloads in the gid parameter targeting LimeSurvey endpoints
- Web server logs showing requests to QuestionCreate.php or related endpoints with non-numeric gid values
- User reports of unexpected browser behavior or security warnings when accessing LimeSurvey links
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in URL parameters, specifically targeting the gid parameter
- Monitor HTTP access logs for requests containing script tags, JavaScript event handlers, or encoded XSS payloads in query strings
- Deploy Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation
Monitoring Recommendations
- Enable detailed logging for all LimeSurvey administrative actions and review for anomalous activity
- Set up alerts for unusual patterns of survey modifications or administrative changes following external link referrals
- Monitor for session anomalies such as rapid IP changes or concurrent sessions that may indicate session hijacking
How to Mitigate CVE-2025-63238
Immediate Actions Required
- Upgrade LimeSurvey to version 6.15.11+250909 or later immediately
- Review web server logs for any suspicious requests targeting the gid parameter with non-numeric values
- Implement CSP headers to reduce the impact of potential XSS attacks
- Educate users about the risks of clicking suspicious links
Patch Information
The vulnerability has been addressed in the official LimeSurvey commit which adds integer type casting to the gid parameter. The fix ensures that only numeric values are accepted, preventing the injection of malicious scripts. Users should upgrade to version 6.15.11+250909 or later to receive this security fix.
Workarounds
- If immediate patching is not possible, implement a reverse proxy or WAF rule to sanitize or block non-numeric gid parameter values
- Restrict access to LimeSurvey administrative interfaces to trusted IP addresses only
- Apply the manual patch by modifying application/models/QuestionCreate.php to cast gid as an integer: $gid = (int)Yii::app()->request->getParam('gid', 0);
# Configuration example - Apply integer cast patch manually
# Navigate to LimeSurvey installation directory
cd /var/www/limesurvey
# Backup the original file
cp application/models/QuestionCreate.php application/models/QuestionCreate.php.bak
# Apply the fix by replacing the vulnerable line
sed -i "s/\$gid = Yii::app()->request->getParam('gid', 0);/\$gid = (int)Yii::app()->request->getParam('gid', 0);/g" application/models/QuestionCreate.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
