Vulnerabilities > Limesurvey
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-07-21 | CVE-2014-5018 | Unspecified vulnerability in Limesurvey 2.05+ Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume. network limesurvey | 4.3 |
2014-07-21 | CVE-2014-5017 | SQL Injection vulnerability in Limesurvey 2.05+ SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter. | 7.5 |
2014-07-21 | CVE-2014-5016 | Cross-Site Scripting vulnerability in Limesurvey 2.05+ Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality. | 4.3 |
2013-02-12 | CVE-2011-5256 | Cross-Site Scripting vulnerability in Limesurvey Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters. | 2.6 |
2012-09-19 | CVE-2012-4995 | Cross-Site Scripting vulnerability in Limesurvey Cross-site scripting (XSS) vulnerability in admin/userrighthandling.php in LimeSurvey before 1.91+ Build 120224 allows remote attackers to inject arbitrary web script or HTML via the full_name parameter in a moduser action to admin/admin.php. | 4.3 |
2012-09-19 | CVE-2012-4994 | SQL Injection vulnerability in Limesurvey SQL injection vulnerability in admin/admin.php in LimeSurvey before 1.91+ Build 120224 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a browse action. | 6.5 |
2012-09-15 | CVE-2012-4927 | SQL Injection vulnerability in Limesurvey SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php. | 7.5 |
2011-09-23 | CVE-2011-3752 | Information Exposure vulnerability in Limesurvey 1.90+ LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/statistics.php and certain other files. | 5.0 |
2007-10-18 | CVE-2007-5573 | Code Injection vulnerability in Limesurvey 1.01 PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter. | 6.8 |
2007-07-10 | CVE-2007-3632 | Remote Security vulnerability in Limesurvey 1.49Rc2 Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php in admin/classes/pear/; or (5) Worksheet.php, (6) Parser.php, (7) Workbook.php, (8) Format.php, or (9) BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/. network limesurvey | 6.8 |