View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
20125Bug reportsSecuritypublic2025-05-27 07:232025-05-27 08:49
Reportermanfredsteger Assigned To 
PrioritynoneSeveritypartial_block 
Status newResolutionopen 
Product Version6.6.x 
Summary20125: Third-party components affected by known vulnerabilities (CVEs)
Description

During a security review of LimeSurvey 6.10.x, several third-party components were identified that are outdated and affected by known vulnerabilities (CVEs). These components pose potential security risks and should be updated to their latest secure versions.

The application uses the following software packages with known vulnerabilities:

Name Version Latest Version Known Vulnerabilities Location
vue.js 2.6.14 3.5.13 CVE-2024-9506 /tmp/assets/146de2f6/build.min/js/adminsidepanel.js
ckeditor4 4.22.1 4.25.1 - CVE-2024-43407
- CVE-2024-43411
- CVE-2024-24815
- CVE-2024-24816
- CVE-2023-4771 /tmp/assets/a26664b9/ckeditor.js
kcfinder 3.12 3.12 CVE-2019-14315 /vendor/kcfinder/browse.php?language=de

� Recommended Actions

vue.js: Upgrade from version 2.6.14 to at least 3.5.13 to eliminate CVE-2024-9506.

ckeditor4: Upgrade from version 4.22.1 to 4.25.1 to mitigate multiple CVEs listed above.

kcfinder: The project is no longer maintained. Replace it with a secure and maintained alternative (e.g., elFinder or a modern file manager integrated into CKEditor5).

Perform a full dependency audit and integrate dependency checking into the CI/CD pipeline.
Steps To Reproduce

OWASP Test and pentest-tools.com used

TagsNo tags attached.
Attached Files
cves.png (314,652 bytes)
Bug heat254
Complete LimeSurvey version number (& build) 6.10.5
I will donate to the project if issue is resolvedYes
BrowserFF 138.0.4 (aarch64)
Database type & versionMaria DB 11.4
Server OS (if known)Ubuntu 22
Webserver software & version (if known)Apache/2.4.62 (Debian)
PHP Version8.3.17

Users monitoring this issue

There are no users monitoring this issue.

Activities

manfredsteger

manfredsteger

2025-05-27 07:26

reporter   ~82766

We are currently implementing LimeSurvey for our training measures, but the penetration test failed due to CVEs and EoLs. We are very interested in closing the security gaps and can also support with an assignment. Please contact me if interested via my user e-mail address
DenisChenu

DenisChenu

2025-05-27 08:49

developer   ~82767

kcfinder: The project is no longer maintained. Replace it with a secure and maintained alternative (e.g., elFinder or a modern file manager integrated into CKEditor5).

We use our own kcfinder currently. I think this CVE are fixed currently. But right : can have other.

Issue History

Date Modified Username Field Change
2025-05-27 07:23 manfredsteger New Issue
2025-05-27 07:23 manfredsteger File Added: cves.png
2025-05-27 07:26 manfredsteger Note Added: 82766
2025-05-27 07:26 manfredsteger Bug heat 250 => 252
2025-05-27 08:49 DenisChenu Note Added: 82767
2025-05-27 08:49 DenisChenu Bug heat 252 => 254