Headline
CVE-2020-11456: Fixed issue [security] #16019: Stored XSS in survey groups. (Thanks t… · LimeSurvey/LimeSurvey@04b118a
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
@@ -41,7 +41,6 @@ public function rules()
array('name’, 'match’, 'pattern’=> '/^[A-Za-z0-9_\.]+$/u’,’message’=> gT(‘Group name can contain only alphanumeric character, underscore or dot.’)),
array('title’, 'length’, 'max’=>100),
array('description, created, modified’, ‘safe’),
array('title, name, description’, ‘LSYii_Validators’),
// The following rule is used by search().
// @todo Please remove those attributes that should not be searched.
array('gsid, name, title, description, owner_id, parent_id, created, modified, created_by’, 'safe’, ‘on’=>’search’),