Vulnerabilities > Limesurvey

DATE CVE VULNERABILITY TITLE RISK
2014-07-21 CVE-2014-5018 Unspecified vulnerability in Limesurvey 2.05+
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.
network
limesurvey
4.3
2014-07-21 CVE-2014-5017 SQL Injection vulnerability in Limesurvey 2.05+
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.
network
low complexity
limesurvey CWE-89
7.5
2014-07-21 CVE-2014-5016 Cross-Site Scripting vulnerability in Limesurvey 2.05+
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality.
network
limesurvey CWE-79
4.3
2013-02-12 CVE-2011-5256 Cross-Site Scripting vulnerability in Limesurvey
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters.
network
high complexity
limesurvey CWE-79
2.6
2012-09-19 CVE-2012-4995 Cross-Site Scripting vulnerability in Limesurvey
Cross-site scripting (XSS) vulnerability in admin/userrighthandling.php in LimeSurvey before 1.91+ Build 120224 allows remote attackers to inject arbitrary web script or HTML via the full_name parameter in a moduser action to admin/admin.php.
network
limesurvey CWE-79
4.3
2012-09-19 CVE-2012-4994 SQL Injection vulnerability in Limesurvey
SQL injection vulnerability in admin/admin.php in LimeSurvey before 1.91+ Build 120224 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a browse action.
network
low complexity
limesurvey CWE-89
6.5
2012-09-15 CVE-2012-4927 SQL Injection vulnerability in Limesurvey
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.
network
low complexity
limesurvey CWE-89
7.5
2011-09-23 CVE-2011-3752 Information Exposure vulnerability in Limesurvey 1.90+
LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/statistics.php and certain other files.
network
low complexity
limesurvey CWE-200
5.0
2007-10-18 CVE-2007-5573 Code Injection vulnerability in Limesurvey 1.01
PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.
network
limesurvey CWE-94
6.8
2007-07-10 CVE-2007-3632 Remote Security vulnerability in Limesurvey 1.49Rc2
Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php in admin/classes/pear/; or (5) Worksheet.php, (6) Parser.php, (7) Workbook.php, (8) Format.php, or (9) BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/.
network
limesurvey
6.8