View Issue Details

This bug affects 2 person(s).
 268
IDProjectCategoryView StatusLast Update
20126Bug reportsSecuritypublic2025-07-15 09:32
Reportermanfredsteger Assigned Toc_schmitz  
PrioritynoneSeveritypartial_block 
Status closedResolutionduplicate 
Product Version6.6.x 
Summary20126: End-of-Life Software Components in LimeSurvey 6.10.x
Description

A recent analysis revealed that LimeSurvey 6.10.x makes use of software components that are either officially End-of-Life (EOL) or no longer maintained. This status implies that these packages no longer receive security updates or patches, making them a liability in production environments.

Name Version Latest Version Reason Location
ckeditor4 4.22.1 4.25.1 https://endoflife.date/ckeditor /tmp/assets/a26664b9/ckeditor.js
kcfinder 3.12 3.12 The GitHub repository has been archived; the last update was over 10 years ago. https://github.com/sunhater/kcfinder

� Recommended Actions

ckeditor4

    Upgrade to the latest available 4.x version if possible (4.25.1), or better: migrate to CKEditor 5, which is actively maintained.

    Note: Officially considered EOL according to endoflife.date.

kcfinder

    The project has been abandoned; consider replacing it with a maintained alternative (e.g., elFinder).

    Retain only in legacy environments if absolutely necessary — not recommended for production use.

Review the entire dependency tree of LimeSurvey and set up automated monitoring for EOL and vulnerable packages.
Steps To Reproduce

OWASP Test or with pentest-tools.com

TagsNo tags attached.
Attached Files
eols.png (247,904 bytes)
Bug heat268
Complete LimeSurvey version number (& build) 6.10.5
I will donate to the project if issue is resolvedYes
BrowserFF 138.0.4 (aarch64)
Database type & versionMaria DB 11.4
Server OS (if known)Ubuntu 22
Webserver software & version (if known)Apache/2.4.62 (Debian)
PHP Version8.3.17

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2025-06-13 11:26

updater   ~82876

@manfredsteger, the ckeditor issue is a real pain, see the discussion at https://bugs.limesurvey.org/view.php?id=19727.

manfredsteger

manfredsteger

2025-06-25 06:38

reporter   ~82942

Hi @Mazi seams i dont have access rights to this Issue :(

Mazi

Mazi

2025-06-25 10:57

updater   ~82944

@manfredsteger, for security reasons that ticket is set to private, thus you can not access it.
Here is a short summary, it is basically the same case:
"A pentest revealed that some libraries used at LS 6.6.1 are marked as "end-of-life" and thus should not be used any more due to missing future support and patches.
Affected libraries:
ckeditor4: The version used (4.22.1) is marked as end of life, see https://endoflife.date/ckeditor. It is recommended to uopdate to 5.x"

Issue History

Date Modified Username Field Change
2025-05-27 07:34 manfredsteger New Issue
2025-05-27 07:34 manfredsteger File Added: eols.png
2025-06-13 11:26 Mazi Note Added: 82876
2025-06-13 11:26 Mazi Bug heat 250 => 252
2025-06-13 11:30 guest Bug heat 252 => 258
2025-06-25 06:38 manfredsteger Note Added: 82942
2025-06-25 06:38 manfredsteger File Added: Eingefügtes_Bild_25_06_25__06_38.jpg
2025-06-25 06:38 manfredsteger Bug heat 258 => 260
2025-06-25 10:57 Mazi Note Added: 82944
2025-06-26 11:37 c_schmitz Assigned To => c_schmitz
2025-06-26 11:37 c_schmitz Status new => closed
2025-06-26 11:37 c_schmitz Resolution open => duplicate
2025-07-04 16:58 DenisChenu Bug heat 260 => 268