CVE-2025-63238 - Vulnerability Details

Description

A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.

Published: 2026-04-09

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A reflected Cross‑Site Scripting (XSS) vulnerability exists in LimeSurvey through the gid parameter in the QuestionCreate module. Because the gid value is not validated, an attacker can embed malicious scripts in a crafted URL. When a logged‑in user opens the URL, the script executes in their browser, potentially allowing the attacker to steal session cookies, hijack the user’s session, or perform other malicious actions within the context of the authenticated session. The weakness is classified as CWE‑79, indicating improper input handling leading to script injection.

Affected Systems

LimeSurvey installations running any version earlier than 6.15.11+250909 are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity. The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, suggesting exploitation is unlikely but still possible. The required attack path involves a malicious URL that includes a gid parameter; it specifically targets logged‑in users, so the attacker needs either the user’s credentials or a social‑engineering vector to get the victim to visit the URL. While not highly probable, the impact on confidentiality and integrity for an affected user warrants prompt action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Limesurvey

85%

Version	Status	Scheme	Platform
`[0,6.15.11+250909)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update LimeSurvey to version 6.15.11 or newer to apply the vendor patch that validates the gid parameter.
If an update cannot be applied immediately, limit access to the QuestionCreate functionality or the gid query parameter using a web application firewall or custom URL filtering rules.
For environments where the gid parameter is unused, consider removing or renaming it to reduce the attack surface.

Generated by OpenCVE AI on April 10, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5
https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d

History

Thu, 16 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:limesurvey:limesurvey::::::::

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title	Reflected XSS via gid parameter in LimeSurvey QuestionCreate

Fri, 10 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Reflected XSS via gid parameter in LimeSurvey QuestionCreate
Weaknesses		CWE-79

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Limesurvey Limesurvey limesurvey
Vendors & Products		Limesurvey Limesurvey limesurvey

Thu, 09 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
References		https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5 https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d

Subscriptions

Limesurvey Limesurvey

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-09T00:00:00.000Z

Updated: 2026-04-10T18:01:35.784Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63238

Vulnrichment

Updated: 2026-04-10T18:01:27.940Z

NVD

Status : Analyzed

Published: 2026-04-09T18:16:42.280

Modified: 2026-04-16T19:02:22.450

Link: CVE-2025-63238

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:06:56Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object