Vulnerabilities > Limesurvey > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-01-27 CVE-2022-48008 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey 5.4.15
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.
network
low complexity
limesurvey CWE-434
critical
9.8
2021-02-14 CVE-2019-25019 SQL Injection vulnerability in Limesurvey
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
network
low complexity
limesurvey CWE-89
critical
9.8
2020-04-01 CVE-2020-11455 Path Traversal vulnerability in Limesurvey
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
network
low complexity
limesurvey CWE-22
critical
9.8
2019-09-09 CVE-2019-16184 Improper Neutralization of Formula Elements in a CSV File vulnerability in Limesurvey
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.
network
low complexity
limesurvey CWE-1236
critical
9.8
2019-03-24 CVE-2019-9960 Path Traversal vulnerability in Limesurvey
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
network
low complexity
limesurvey CWE-22
critical
9.8
2018-09-14 CVE-2018-17057 Deserialization of Untrusted Data vulnerability in multiple products
An issue was discovered in TCPDF before 6.2.22.
network
low complexity
tecnick limesurvey CWE-502
critical
9.8
2018-02-28 CVE-2018-7556 Information Exposure vulnerability in multiple products
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
network
low complexity
limesurvey debian CWE-200
critical
9.1