CVE-2024-39063 identifies a critical Cross Site Request Forgery (CSRF) vulnerability in Lime Survey versions up to 6.5.12. Lime Survey uses the Yii framework's CSRF protection mechanism, which relies on the YII_CSRF_TOKEN to validate requests and prevent unauthorized actions. However, this vulnerability stems from an implementation flaw where the CSRF token validation is only performed on POST requests when the token is included in the request body. Equivalent GET requests do not undergo the same token validation, creating an attack vector. An attacker can exploit this by tricking an authenticated user into visiting a maliciously crafted URL that issues a GET request performing sensitive actions without the user's consent. Since GET requests are often considered safe and may be cached or logged, this oversight bypasses the intended CSRF protections. The vulnerability impacts confidentiality, integrity, and availability, as unauthorized actions could include data modification, deletion, or leakage. The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, but requiring user interaction. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability is categorized under CWE-352, which covers CSRF attacks. Organizations running Lime Survey should urgently review their exposure and apply mitigations or updates once available.

The impact of CVE-2024-39063 is significant for organizations using Lime Survey up to version 6.5.12. Successful exploitation allows attackers to perform unauthorized actions on behalf of authenticated users by leveraging the missing CSRF token validation on GET requests. This can lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of survey data and potentially the broader systems integrated with Lime Survey. Given Lime Survey's use in academic, governmental, and commercial environments for collecting sensitive information, the breach of survey data can have legal, reputational, and operational consequences. Attackers could manipulate survey results, disrupt data collection processes, or exfiltrate sensitive information. The requirement for user interaction (visiting a malicious link) makes social engineering a likely attack vector. The vulnerability's network accessibility and lack of required privileges increase the risk of widespread exploitation once a public exploit emerges. Organizations globally relying on Lime Survey for critical data collection are at risk until mitigations or patches are applied.

To mitigate CVE-2024-39063, organizations should implement the following specific actions: 1) Immediately restrict access to Lime Survey instances to trusted networks or VPNs to reduce exposure. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious GET requests that attempt to perform state-changing actions or include parameters typically protected by CSRF tokens. 3) Educate users and administrators to avoid clicking on untrusted links and to verify URLs before accessing Lime Survey resources. 4) Monitor server logs for unusual GET request patterns that could indicate exploitation attempts. 5) If possible, configure Lime Survey or the underlying Yii framework to enforce CSRF token validation on all state-changing requests, including GET requests, through custom code or middleware. 6) Regularly check for official patches or updates from Lime Survey and apply them promptly once released. 7) Consider implementing multi-factor authentication (MFA) to reduce the impact of compromised sessions. 8) Conduct security assessments and penetration tests to verify the effectiveness of mitigations. These measures go beyond generic advice by focusing on compensating controls and proactive detection until an official patch is available.