Vulnerabilities > Limesurvey

DATE CVE VULNERABILITY TITLE RISK
2019-10-16 CVE-2019-17660 Cross-site Scripting vulnerability in Limesurvey
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
network
limesurvey CWE-79
4.3
2019-09-09 CVE-2019-16174 XXE vulnerability in Limesurvey
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.
6.8
2019-09-09 CVE-2019-16175 Improper Restriction of Rendered UI Layers or Frames vulnerability in Limesurvey
A clickjacking vulnerability was found in Limesurvey before 3.17.14.
4.3
2019-09-09 CVE-2019-16176 Information Exposure vulnerability in Limesurvey
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem.
network
low complexity
limesurvey CWE-200
5.0
2019-09-09 CVE-2019-16177 Information Exposure vulnerability in Limesurvey
In Limesurvey before 3.17.14, the entire database is exposed through browser caching.
network
low complexity
limesurvey CWE-200
5.0
2019-09-09 CVE-2019-16178 Cross-site Scripting vulnerability in Limesurvey
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page.
network
limesurvey CWE-79
3.5
2019-09-09 CVE-2019-16179 Improper Certificate Validation vulnerability in Limesurvey
Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration.
network
low complexity
limesurvey CWE-295
5.0
2019-09-09 CVE-2019-16180 Information Exposure vulnerability in Limesurvey
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used.
network
low complexity
limesurvey CWE-200
5.0
2019-09-09 CVE-2019-16181 Unspecified vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can mark other users' notifications as read.
network
low complexity
limesurvey
4.0
2019-09-09 CVE-2019-16182 Cross-site Scripting vulnerability in Limesurvey
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files.
network
limesurvey CWE-79
4.3