Limesurvey prior to 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows malicious users to access a cookie value via a client-side script.
limesurvey limesurvey