Vulnerable javascript dependency used in adminsidepanel.js in limesurvey/limesurvey


Reported on

Feb 27th 2023


The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript.

Proof of Concept

1.Go to and search for Vue.js v2.6.10 term. We can note that the Vue.js version there is 2.6.10.
2.Recheck in the repository at and note that the Vue.js version there is 2.6.10.
3.Go to and note that this is the release that fixed the vulnerability related to vue-server-renderer's dependency of serialize-javascript. This means that the vuejs version 2.6.10 before is vulnerable to this.


The use of third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz modified the Severity from Medium (4) to Low (3.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 2 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
2 months ago


Thank you - we are working on a fix.

Carsten Schmitz marked this as fixed in 5.6.14 with commit 2688cc 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Apr 3rd 2023
adminsidepanel.js#L1-L44 has been validated
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation