Vulnerabilities > Limesurvey

DATE CVE VULNERABILITY TITLE RISK
2018-09-03 CVE-2018-16397 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,
network
low complexity
limesurvey CWE-434
4.0
2018-06-26 CVE-2018-1000514 Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes.
4.3
2018-06-26 CVE-2018-1000513 Cross-site Scripting vulnerability in Limesurvey 3.0.0
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins.
network
limesurvey CWE-79
3.5
2018-02-28 CVE-2018-7556 Information Exposure vulnerability in multiple products
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
network
low complexity
limesurvey debian CWE-200
6.4
2018-02-09 CVE-2018-1000053 Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable.
6.8
2015-06-28 CVE-2015-5078 SQL Injection vulnerability in Limesurvey 2.06+
SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter.
network
low complexity
limesurvey CWE-89
6.5
2015-06-18 CVE-2015-4628 SQL Injection vulnerability in Limesurvey
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.
network
low complexity
limesurvey CWE-89
6.5
2014-07-21 CVE-2014-5018 Unspecified vulnerability in Limesurvey 2.05+
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.
network
limesurvey
4.3
2014-07-21 CVE-2014-5017 SQL Injection vulnerability in Limesurvey 2.05+
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.
network
low complexity
limesurvey CWE-89
7.5
2014-07-21 CVE-2014-5016 Cross-Site Scripting vulnerability in Limesurvey 2.05+
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality.
network
limesurvey CWE-79
4.3