CVE-2022-48010 in LimeSurvey
Summary
by MITRE • 01/27/2023
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Welcome-message text fields.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/28/2025
The vulnerability CVE-2022-48010 represents a critical stored cross-site scripting flaw in LimeSurvey version 5.4.15 that resides within the survey administration functionality. This issue specifically affects the /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts endpoint, which serves as a component for managing survey text elements including description and welcome messages. The vulnerability stems from inadequate input validation and output encoding mechanisms that fail to properly sanitize user-supplied content before rendering it within the web interface. Attackers can exploit this weakness by injecting malicious scripts into the vulnerable text fields, which then get executed when other users view the affected survey administration pages.
The technical exploitation of this vulnerability follows established XSS attack patterns where malicious payloads are crafted to bypass existing security controls. The flaw occurs because the application does not adequately filter or encode special characters in the Description and Welcome-message text fields, allowing attackers to inject script tags or other malicious code that gets stored within the application's database. When legitimate users access the survey administration interface, their browsers execute the stored malicious scripts within the context of the vulnerable web application, potentially compromising user sessions and enabling further attacks. This stored XSS vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as weaknesses that allow attackers to inject malicious scripts into web applications viewed by other users.
The operational impact of CVE-2022-48010 extends beyond simple script execution, as it can lead to session hijacking, credential theft, and privilege escalation within the LimeSurvey environment. Attackers who successfully exploit this vulnerability can potentially gain unauthorized access to sensitive survey data, manipulate survey configurations, and compromise the integrity of the entire survey administration system. The stored nature of this vulnerability means that malicious payloads persist even after the initial injection, making the attack vector particularly dangerous as it can affect multiple users over extended periods. This weakness directly aligns with ATT&CK technique T1566.001 which covers social engineering through spearphishing with a malicious attachment, as attackers could leverage this vulnerability to create malicious survey text that appears legitimate to end users.
Organizations utilizing LimeSurvey v5.4.15 should implement immediate mitigations including input sanitization of all user-supplied content, proper HTML encoding of output rendering, and comprehensive security testing of web application components. The recommended remediation involves upgrading to a patched version of LimeSurvey that addresses this vulnerability through proper validation and sanitization of input parameters. Additionally, implementing content security policies and regular security scanning of web applications can help detect similar vulnerabilities. Security teams should also establish monitoring protocols to detect unauthorized modifications to survey text fields and implement principle of least privilege access controls for survey administration functions. The vulnerability demonstrates the critical importance of proper input validation and output encoding practices in web applications, as outlined in OWASP Top 10 categories related to injection flaws and cross-site scripting vulnerabilities.