LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model. Post navigation CVE-2020-12878 CVE-2021-3271