Vulnerabilities > Limesurvey > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-03-16 CVE-2019-14512 Cross-site Scripting vulnerability in Limesurvey 3.17.7+190627
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php.
network
limesurvey CWE-79
4.3
2019-10-16 CVE-2019-17660 Cross-site Scripting vulnerability in Limesurvey
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
network
limesurvey CWE-79
4.3
2019-09-09 CVE-2019-16187 Incorrect Permission Assignment for Critical Resource vulnerability in Limesurvey
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
network
low complexity
limesurvey CWE-732
5.0
2019-09-09 CVE-2019-16186 Incorrect Default Permissions vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions.
network
low complexity
limesurvey CWE-276
6.5
2019-09-09 CVE-2019-16185 Incorrect Default Permissions vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions.
network
low complexity
limesurvey CWE-276
6.5
2019-09-09 CVE-2019-16183 Incorrect Default Permissions vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.
network
low complexity
limesurvey CWE-276
4.0
2019-09-09 CVE-2019-16182 Cross-site Scripting vulnerability in Limesurvey
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files.
network
limesurvey CWE-79
4.3
2019-09-09 CVE-2019-16181 Unspecified vulnerability in Limesurvey
In Limesurvey before 3.17.14, admin users can mark other users' notifications as read.
network
low complexity
limesurvey
4.0
2019-09-09 CVE-2019-16180 Information Exposure vulnerability in Limesurvey
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used.
network
low complexity
limesurvey CWE-200
5.0
2019-09-09 CVE-2019-16179 Improper Certificate Validation vulnerability in Limesurvey
Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration.
network
low complexity
limesurvey CWE-295
5.0