Vulnerabilities > Limesurvey > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-16 | CVE-2019-14512 | Cross-site Scripting vulnerability in Limesurvey 3.17.7+190627 LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. | 4.3 |
| 2019-10-16 | CVE-2019-17660 | Cross-site Scripting vulnerability in Limesurvey A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. | 4.3 |
| 2019-09-09 | CVE-2019-16187 | Incorrect Permission Assignment for Critical Resource vulnerability in Limesurvey Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script. | 5.0 |
| 2019-09-09 | CVE-2019-16186 | Incorrect Default Permissions vulnerability in Limesurvey In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions. | 6.5 |
| 2019-09-09 | CVE-2019-16185 | Incorrect Default Permissions vulnerability in Limesurvey In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions. | 6.5 |
| 2019-09-09 | CVE-2019-16183 | Incorrect Default Permissions vulnerability in Limesurvey In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions. | 4.0 |
| 2019-09-09 | CVE-2019-16182 | Cross-site Scripting vulnerability in Limesurvey A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files. | 4.3 |
| 2019-09-09 | CVE-2019-16181 | Unspecified vulnerability in Limesurvey In Limesurvey before 3.17.14, admin users can mark other users' notifications as read. | 4.0 |
| 2019-09-09 | CVE-2019-16180 | Information Exposure vulnerability in Limesurvey Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used. | 5.0 |
| 2019-09-09 | CVE-2019-16179 | Improper Certificate Validation vulnerability in Limesurvey Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration. | 5.0 |