We are currently implementing LimeSurvey for our training measures, but the penetration test failed due to CVEs and EoLs. We are very interested in closing the security gaps and can also support with an assignment. Please contact me if interested via my user e-mail address

kcfinder: The project is no longer maintained. Replace it with a secure and maintained alternative (e.g., elFinder or a modern file manager integrated into CKEditor5).

We use our own kcfinder currently. I think this CVE are fixed currently. But right : can have other.

Is it possible that the mentioned components could be updated against remunation/payments to a stable version, and that abandoned projects would switch to an existing one? I'm not a LimeSurvey expert; I'm just a project manager. However, based on what I see, only the KCFinder is needed for the file upload process. As mentioned before, CKEditor could potentially handle this directly. To reiterate what I said earlier, removing EoL projects entirely would be in the community's interest.

@manfredsteger, please note that all issues are referring to the admin interface only. That means only logged in Limesurvey admin users would be able to mis-use any of these security issues.
So while I agree that these issues should be fixed, the risk of any harm being caused by these issues is low.

@Mazi Yes, we’ve considered locking down the backend—and I suspect that nearly every university or educational institution with strict security measures will do exactly that. Personally, I think it’s fundamentally wrong: many IT teams go to the trouble of hiding everything behind VPNs, and users then have to overcome this hurdle, leading to constant support requests and frustration for inexperienced users. Our policy is to install everything properly and cleanly, without hiding anything behind firewalls or VPNs—that approach is old-school. Don’t you share the goal of making LimeSurvey inherently more secure—and getting paid for it?