WS-2023-0055
Published:May 15, 2026
Updated:May 15, 2026
A Stored Cross-Site Scripting vulnerability exists in survey administrator name in limesurvey/limesurvey prior to 5.6.6. The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "><script>alert(document.cookie)</script> in the Administrator name field and the XSS executes in the authenticated user's context as well as on the survey error page.
Affected Packages
limesurvey/limesurvey (PHP):
Affected version(s) >=dev-snyk-upgrade-db5589e32a61db42524a88ad04a6eaba <6.0.1+230411Fix Suggestion:
Update to version 6.0.1+230411limesurvey/limesurvey (PHP):
Affected version(s) =3.27.34+220132 <3.27.35+220208Fix Suggestion:
Update to version 3.27.35+220208limesurvey/limesurvey (PHP):
Affected version(s) >=5.3.8+220404 <5.3.26+220720Fix Suggestion:
Update to version 5.3.26+220720limesurvey/limesurvey (PHP):
Affected version(s) >=dev-anonymize-tokens <dev-basicFix Suggestion:
Update to version dev-basiclimesurvey/limesurvey (PHP):
Affected version(s) >=3.28.20+220719 <dev-fixv3-16987Fix Suggestion:
Update to version dev-fixv3-16987limesurvey/limesurvey (PHP):
Affected version(s) =dev-develop-innodb <dev-display-import-errors-masterFix Suggestion:
Update to version dev-display-import-errors-masterlimesurvey/limesurvey (PHP):
Affected version(s) >=3.28.1+220229 <3.28.14+220608Fix Suggestion:
Update to version 3.28.14+220608limesurvey/limesurvey (PHP):
Affected version(s) >=3.27.29+211214 <3.27.33+220125Fix Suggestion:
Update to version 3.27.33+220125limesurvey/limesurvey (PHP):
Affected version(s) =dev-copy-question <dev-detachedFix Suggestion:
Update to version dev-detachedlimesurvey/limesurvey (PHP):
Affected version(s) >=3.28.15+220616 <3.28.18+220706Fix Suggestion:
Update to version 3.28.18+220706limesurvey/limesurvey (PHP):
Affected version(s) >=5.3.27+220725 <5.6.6+230220Fix Suggestion:
Update to version 5.6.6+230220limesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-qngroup-phpdoc <dev-fix-relations-20230411Fix Suggestion:
Update to version dev-fix-relations-20230411limesurvey/limesurvey (PHP):
Affected version(s) >=dev-relevance-import2 <dev-snyk-upgrade-8e8193a6a781d5929de6292963cd2a21Fix Suggestion:
Update to version dev-snyk-upgrade-8e8193a6a781d5929de6292963cd2a21limesurvey/limesurvey (PHP):
Affected version(s) >=dev-v3-add-import-converter <3.23.5+200923Fix Suggestion:
Update to version 3.23.5+200923limesurvey/limesurvey (PHP):
Affected version(s) >=dev-snyk-fix-76cf46bd82f4347fa5bd130cdd788057 <=dev-snyk-upgrade-b8f4dac44087b061e2e7d08aa4d95731Fix Suggestion:
Update to version no_fixlimesurvey/limesurvey (PHP):
Affected version(s) >=dev-scrutinizer-patch-3 <dev-survey-booleans3Fix Suggestion:
Update to version dev-survey-booleans3limesurvey/limesurvey (PHP):
Affected version(s) >=dev-global-settings <dev-test-log-checksFix Suggestion:
Update to version dev-test-log-checkslimesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-gitignore <dev-fix-model-relationsFix Suggestion:
Update to version dev-fix-model-relationslimesurvey/limesurvey (PHP):
Affected version(s) >=4.1.18+200416 <5.3.7+220328Fix Suggestion:
Update to version 5.3.7+220328limesurvey/limesurvey (PHP):
Affected version(s) >=3.23.6+200929 <3.27.28+211208Fix Suggestion:
Update to version 3.27.28+211208limesurvey/limesurvey (PHP):
Affected version(s) =dev-develop <dev-develop-developFix Suggestion:
Update to version dev-develop-developlimesurvey/limesurvey (PHP):
Affected version(s) >=dev-em_quota <dev-fix-composer-license-formatFix Suggestion:
Update to version dev-fix-composer-license-formatlimesurvey/limesurvey (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/assets/packages/adminbasics/terser-5.14.2 <dev-dependabot/npm_and_yarn/assets/packages/lstutorial/terser-5.14.2Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/assets/packages/lstutorial/terser-5.14.2limesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-theme-help <dev-fix-typoFix Suggestion:
Update to version dev-fix-typokevinchappell/form-builder (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/terser-4.8.1 <dev-dependabot/npm_and_yarn/lodash-4.17.21Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/lodash-4.17.21limesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-spss-token-length <dev-fix-testsFix Suggestion:
Update to version dev-fix-testslimesurvey/limesurvey (PHP):
Affected version(s) >=4.0.0-beta <4.1.17+200414Fix Suggestion:
Update to version 4.1.17+200414limesurvey/limesurvey (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/assets/packages/questions/upload/terser-5.14.2 <6.0.0+230405Fix Suggestion:
Update to version 6.0.0+230405limesurvey/limesurvey (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/assets/packages/questions/upload/loader-utils-2.0.3 <dev-clicks-test3Fix Suggestion:
Update to version dev-clicks-test3Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
4.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW