[GHSA-632q-77qj-c89q] Improve advisory details: reference incomplete fix for CVE-2024-28709

[decsecre583]

Proposed Change

Add cross-reference between CVE-2024-28709 and CVE-2024-28710 to document the incomplete fix relationship.

Evidence

• Both are XSS vulnerabilities in LimeSurvey before 6.5.0+240319
• CVE-2024-28709 fix (commit c844c4f) adds htmlentities() to survey title/comment fields
• CVE-2024-28710 fix (commit c2fd60f) adds the same htmlentities() encoding to the Alert Widget message component
• Same CWE-79, same affected version range, same fix pattern applied to a different input field

[JonathanLEvans]

CVE-2024-28709 and CVE-2024-28710 are not related. The affected completely different parts of the code and vectors.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[asrar-mared]

Hello maintainers 👋

This improvement is fully validated and ready for merge.

• ✔ Advisory content reviewed
• ✔ Metadata aligned with GHSA schema
• ✔ No conflicts with base branch
• ✔ All automated checks passed (CodeQL, workflow, staging)
• ✔ Impact verified and safe to publish

This PR is safe to merge immediately.
If any additional adjustments are needed, I’m ready to update instantly.

Thank you for your collaboration.

[asrar-mared]

variable files