20126: End-of-Life Software Components in LimeSurvey 6.10.x

This bug affects 2 person(s).

268

ID Project Category View Status Date Submitted Last Update

20126 Bug reports Security public 2025-05-27 07:34 2025-07-15 09:32

Reporter manfredsteger Assigned To c_schmitz

Priority none Severity partial_block

Status closed Resolution duplicate

Product Version 6.6.x

Summary 20126: End-of-Life Software Components in LimeSurvey 6.10.x

Description

A recent analysis revealed that LimeSurvey 6.10.x makes use of software components that are either officially End-of-Life (EOL) or no longer maintained. This status implies that these packages no longer receive security updates or patches, making them a liability in production environments.

Name	Version	Latest Version	Reason	Location
ckeditor4	4.22.1	4.25.1	https://endoflife.date/ckeditor	/tmp/assets/a26664b9/ckeditor.js
kcfinder	3.12	3.12	The GitHub repository has been archived; the last update was over 10 years ago.	https://github.com/sunhater/kcfinder

� Recommended Actions

ckeditor4

    Upgrade to the latest available 4.x version if possible (4.25.1), or better: migrate to CKEditor 5, which is actively maintained.

    Note: Officially considered EOL according to endoflife.date.

kcfinder

    The project has been abandoned; consider replacing it with a maintained alternative (e.g., elFinder).

    Retain only in legacy environments if absolutely necessary — not recommended for production use.

Review the entire dependency tree of LimeSurvey and set up automated monitoring for EOL and vulnerable packages.

Steps To Reproduce

OWASP Test or with pentest-tools.com

Tags No tags attached.

Attached Files

eols.png (247,904 bytes)

Bug heat 268

Complete LimeSurvey version number (& build) 6.10.5

I will donate to the project if issue is resolved Yes

Browser FF 138.0.4 (aarch64)

Database type & version Maria DB 11.4

Server OS (if known) Ubuntu 22

Webserver software & version (if known) Apache/2.4.62 (Debian)

PHP Version 8.3.17

User List	There are no users monitoring this issue.

Mazi 2025-06-13 11:26 updater ~82876	@manfredsteger, the ckeditor issue is a real pain, see the discussion at https://bugs.limesurvey.org/view.php?id=19727.

manfredsteger 2025-06-25 06:38 reporter ~82942	Hi @Mazi seams i dont have access rights to this Issue :( Eingefügtes_Bild_25_06_25__06_38.jpg (91,551 bytes) Eingefügtes_Bild_25_06_25__06_38.jpg (91,551 bytes)

Mazi 2025-06-25 10:57 updater ~82944	@manfredsteger, for security reasons that ticket is set to private, thus you can not access it. Here is a short summary, it is basically the same case: "A pentest revealed that some libraries used at LS 6.6.1 are marked as "end-of-life" and thus should not be used any more due to missing future support and patches. Affected libraries: ckeditor4: The version used (4.22.1) is marked as end of life, see https://endoflife.date/ckeditor. It is recommended to uopdate to 5.x"

Date Modified	Username	Field	Change
2025-05-27 07:34	manfredsteger	New Issue
2025-05-27 07:34	manfredsteger	File Added: eols.png
2025-06-13 11:26	Mazi	Note Added: 82876
2025-06-13 11:26	Mazi	Bug heat	250 => 252
2025-06-13 11:30	guest	Bug heat	252 => 258
2025-06-25 06:38	manfredsteger	Note Added: 82942
2025-06-25 06:38	manfredsteger	File Added: Eingefügtes_Bild_25_06_25__06_38.jpg
2025-06-25 06:38	manfredsteger	Bug heat	258 => 260
2025-06-25 10:57	Mazi	Note Added: 82944
2025-06-26 11:37	c_schmitz	Assigned To	=> c_schmitz
2025-06-26 11:37	c_schmitz	Status	new => closed
2025-06-26 11:37	c_schmitz	Resolution	open => duplicate
2025-07-04 16:58	DenisChenu	Bug heat	260 => 268

View Issue Details

Users monitoring this issue

Activities

Issue History