CVE-2021-42112: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

October 12, 2021 (updated November 17, 2021)

The “File upload question” functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js.

References

bugs.limesurvey.org/view.php?id=17562
github.com/LimeSurvey/LimeSurvey/commit/d56619a50cfd191bbffd0adb660638a5e438070d
github.com/LimeSurvey/LimeSurvey/pull/2044
github.com/advisories/GHSA-h9ph-jcgh-gf69
nvd.nist.gov/vuln/detail/CVE-2021-42112
www.on-x.com/sites/default/files/on-x_-_security_advisory_-_limesurvey_-_cve-2021-42112.pdf

Detect and mitigate CVE-2021-42112 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →