Description

The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript.

Proof of Concept

1.Go to https://demo.limesurvey.org/tmp/assets/cb9c5d96/build.min/js/adminsidepanel.js and search for Vue.js v2.6.10 term. We can note that the Vue.js version there is 2.6.10.
2.Recheck in the repository at https://github.com/LimeSurvey/LimeSurvey/blob/master/assets/packages/adminsidepanel/build.min/js/adminsidepanel.js and note that the Vue.js version there is 2.6.10.
3.Go to https://github.com/vuejs/vue/releases/tag/v2.6.11 and note that this is the release that fixed the vulnerability related to vue-server-renderer's dependency of serialize-javascript. This means that the vuejs version 2.6.10 before is vulnerable to this.

Impact

The use of third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS.