Vulnerabilities > Limesurvey > High

DATE CVE VULNERABILITY TITLE RISK
2022-11-15 CVE-2022-43279 SQL Injection vulnerability in Limesurvey 5.4.4
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.
network
low complexity
limesurvey CWE-89
7.2
2022-02-24 CVE-2021-44967 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey 5.2.4
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file.
network
low complexity
limesurvey CWE-434
8.8
2019-09-09 CVE-2019-16187 Incorrect Permission Assignment for Critical Resource vulnerability in Limesurvey
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
network
low complexity
limesurvey CWE-732
7.5
2019-09-09 CVE-2019-16186 Incorrect Default Permissions vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions.
network
low complexity
limesurvey CWE-276
7.2
2019-09-09 CVE-2019-16185 Incorrect Default Permissions vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions.
network
low complexity
limesurvey CWE-276
7.2
2019-09-09 CVE-2019-16177 Information Exposure vulnerability in Limesurvey
In Limesurvey before 3.17.14, the entire database is exposed through browser caching.
network
low complexity
limesurvey CWE-200
7.5
2019-09-09 CVE-2019-16174 XXE vulnerability in Limesurvey
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.
network
low complexity
limesurvey CWE-611
8.8
2019-08-26 CVE-2019-15640 Improper Input Validation vulnerability in Limesurvey
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.
network
low complexity
limesurvey CWE-20
7.5
2018-09-06 CVE-2018-1000659 Path Traversal vulnerability in Limesurvey
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user.
network
low complexity
limesurvey CWE-22
8.8
2018-09-06 CVE-2018-1000658 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell.
network
low complexity
limesurvey CWE-434
8.8