LimeSurvey is a web application that enables users to design and set up scalable surveys, but it has two vulnerabilities: an unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated arbitrary file write vulnerability. The first vulnerability allows attackers to execute malicious JavaScript code in the admin panel's HTML context, which can be chained with the second vulnerability to gain access to the remote system without user interaction. This chain of vulnerabilities enables attackers to add malicious JavaScript code to the admin panel through the Continue Later functionality of a public survey, and then exploit the arbitrary file write vulnerability to gain persistent shell access to the operating system remotely. LimeSurvey has released a fixed version (3) after a vendor acknowledged the issue and provided a proof-of-concept exploit. The update is highly recommended to prevent exploitation of these vulnerabilities.