CVE-2020-25798

{"id": "CVE-2020-25798", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-11-17T15:15:12.163", "references": [{"url": "https://bugs.limesurvey.org/view.php?id=15672", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/LimeSurvey/LimeSurvey/commit/38e1ab069b538de7cb5f3a04939aba8e835640cb", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://bugs.limesurvey.org/view.php?id=15672", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/LimeSurvey/LimeSurvey/commit/38e1ab069b538de7cb5f3a04939aba8e835640cb", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en LimeSurvey versiones anteriores e incluyendo a 3.21.1, permite a usuarios autenticados con los permisos correctos inyectar script web o HTML arbitrario por medio del par\u00e1metro ParticipantAttributeNamesDropdown de los Atributos en la p\u00e1gina central de la base de datos de participantes. Cuando el atributo de la encuesta es editada o visualizada, por ejemplo, por un usuario administrativo, el c\u00f3digo JavaScript ser\u00e1 ejecutado en el navegador"}], "lastModified": "2024-11-21T05:18:48.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E50C3C7B-8C1C-461C-8E5A-2C45775E3338", "versionEndIncluding": "3.21.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}