CVE-2025-70797 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in LimeSurvey version 6.15.20+251021. This web application vulnerability allows remote attackers to execute arbitrary code by injecting malicious scripts through the Box[title] and box[url] parameters. LimeSurvey is a widely-used open-source online survey application, making this vulnerability particularly concerning for organizations that rely on it for data collection.
Critical Impact
Remote attackers can inject malicious scripts that execute in victims' browsers, potentially leading to session hijacking, credential theft, or further attacks against authenticated users of the LimeSurvey application.
Affected Products
- LimeSurvey v.6.15.20+251021
Discovery Timeline
- 2026-04-09 - CVE CVE-2025-70797 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-70797
Vulnerability Analysis
This Cross-Site Scripting vulnerability (CWE-79) occurs due to insufficient input sanitization in the LimeSurvey application. The vulnerability exists in the handling of user-supplied input through two specific parameters: Box[title] and box[url]. When malicious JavaScript code is submitted through these parameters, the application fails to properly encode or sanitize the input before reflecting it back in the browser context.
The attack requires user interaction, as a victim must be tricked into clicking a malicious link or visiting a compromised page. Upon successful exploitation, the injected script executes within the security context of the vulnerable LimeSurvey application, allowing the attacker to perform actions on behalf of the victim user.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in LimeSurvey's handling of the Box[title] and box[url] parameters. The application does not adequately sanitize user input before including it in dynamically generated web content, allowing attackers to inject executable script code that bypasses security controls.
Attack Vector
The attack is network-based, requiring the attacker to craft a malicious URL or form submission containing JavaScript payloads in the vulnerable parameters. The attacker must then convince an authenticated LimeSurvey user to interact with this malicious content. Since the scope is changed (as indicated by the vulnerability characteristics), the attack can affect resources beyond the vulnerable component, potentially impacting other web applications in the same browser context.
The vulnerability targets the Box[title] and box[url] parameters, which are likely used in the survey box configuration functionality. An attacker could craft payloads that, when processed by the application, execute arbitrary JavaScript in the context of an authenticated administrator's session.
For technical details and proof-of-concept information, refer to the GitHub Gist PoC Repository.
Detection Methods for CVE-2025-70797
Indicators of Compromise
- Unusual HTTP requests containing JavaScript code or HTML tags in the Box[title] or box[url] parameters
- Web application firewall logs showing XSS attack patterns targeting LimeSurvey endpoints
- Unexpected script execution or DOM manipulation in browser developer tools during LimeSurvey sessions
- User reports of suspicious behavior or redirects while using LimeSurvey administration interfaces
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP parameters
- Monitor server access logs for requests containing encoded script tags or JavaScript event handlers in the vulnerable parameters
- Deploy Content Security Policy (CSP) headers to detect and prevent inline script execution
- Use browser-based security tools to identify reflected content anomalies
Monitoring Recommendations
- Enable detailed logging for LimeSurvey application requests, particularly those involving box configuration
- Configure SIEM alerts for patterns matching XSS attack signatures in web traffic
- Implement real-time monitoring for suspicious parameter values containing special characters like <, >, script, or javascript:
- Review authentication logs for session anomalies that may indicate successful XSS exploitation
How to Mitigate CVE-2025-70797
Immediate Actions Required
- Upgrade LimeSurvey to a patched version that addresses this vulnerability
- Implement input validation and output encoding for all user-supplied parameters
- Deploy or update WAF rules to filter XSS attack patterns targeting the Box[title] and box[url] parameters
- Restrict administrative access to LimeSurvey to trusted networks where possible
Patch Information
A fix for this vulnerability has been submitted to the LimeSurvey project. Users should review the GitHub Pull Request for LimeSurvey for patch details and update their installations to incorporate the security fix. Organizations should check for official LimeSurvey releases that include this patch and upgrade accordingly.
Workarounds
- Implement strict Content Security Policy (CSP) headers to mitigate the impact of XSS attacks by preventing inline script execution
- Configure WAF rules to sanitize or block requests containing script tags and JavaScript event handlers in the affected parameters
- Limit access to LimeSurvey administrative functions to trusted IP addresses or VPN-connected users
- Educate users about the risks of clicking untrusted links, especially those pointing to the LimeSurvey installation
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or Apache configuration file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
