A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files.
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released