CVE-2024-42902 is a remote code execution (RCE) vulnerability identified in the js_localize.php function of LimeSurvey version 6.6.2 and earlier. The vulnerability stems from improper input validation and sanitization of the 'lng' parameter, which is used for localization purposes. An attacker with at least limited privileges (PR:L in CVSS) can craft a malicious payload injected into this parameter, leading to arbitrary code execution on the server hosting LimeSurvey. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that user-supplied input is executed as code without sufficient validation. The CVSS v3.1 base score is 8.8, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker can remotely exploit the vulnerability without user interaction, potentially gaining full control over the affected system. No public exploits have been reported yet, but the vulnerability's nature and scoring suggest it could be weaponized quickly. The lack of patch links in the provided data indicates that either patches are pending or not yet publicly documented, emphasizing the need for vigilance and interim mitigations. LimeSurvey is an open-source survey tool widely used by organizations for data collection, making this vulnerability particularly concerning for entities relying on it for sensitive or critical information gathering.

The impact of CVE-2024-42902 is severe for organizations using vulnerable versions of LimeSurvey. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to full system compromise. This can result in unauthorized access to sensitive survey data, manipulation or deletion of collected information, disruption of survey services, and use of the compromised server as a pivot point for further attacks within the network. The high confidentiality, integrity, and availability impacts mean that organizations may suffer data breaches, loss of trust, regulatory penalties, and operational downtime. Given LimeSurvey's role in collecting and managing data, sectors such as government, healthcare, education, and market research are particularly vulnerable. The ease of exploitation and lack of required user interaction increase the likelihood of automated attacks and wormable scenarios if exploited in the wild.

1. Immediately upgrade LimeSurvey to the latest version once an official patch addressing CVE-2024-42902 is released. 2. Until patches are available, restrict access to the js_localize.php endpoint via web application firewalls (WAFs) or network access controls, limiting it to trusted IP addresses or internal networks only. 3. Implement input validation and sanitization at the web server or application firewall level to block suspicious payloads targeting the 'lng' parameter. 4. Monitor web server logs for unusual or repeated requests to js_localize.php containing suspicious or malformed 'lng' parameters. 5. Employ runtime application self-protection (RASP) tools if available to detect and block code injection attempts in real time. 6. Conduct thorough security audits and penetration testing focusing on LimeSurvey installations to identify any signs of compromise or exploitation attempts. 7. Educate system administrators and developers about this vulnerability to ensure prompt response and remediation. 8. Consider isolating LimeSurvey instances in segmented network zones to limit lateral movement in case of compromise.