Vulnerabilities > Limesurvey > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-09-06 CVE-2018-1000659 Path Traversal vulnerability in Limesurvey
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user.
network
low complexity
limesurvey CWE-22
6.5
2018-09-06 CVE-2018-1000658 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell.
network
low complexity
limesurvey CWE-434
6.5
2018-09-03 CVE-2018-16397 Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,
network
low complexity
limesurvey CWE-434
4.0
2018-06-26 CVE-2018-1000514 Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes.
4.3
2018-02-28 CVE-2018-7556 Information Exposure vulnerability in multiple products
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
network
low complexity
limesurvey debian CWE-200
6.4
2018-02-09 CVE-2018-1000053 Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable.
6.8
2015-06-28 CVE-2015-5078 SQL Injection vulnerability in Limesurvey 2.06+
SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter.
network
low complexity
limesurvey CWE-89
6.5
2015-06-18 CVE-2015-4628 SQL Injection vulnerability in Limesurvey
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.
network
low complexity
limesurvey CWE-89
6.5
2014-07-21 CVE-2014-5018 Unspecified vulnerability in Limesurvey 2.05+
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.
network
limesurvey
4.3
2014-07-21 CVE-2014-5016 Cross-Site Scripting vulnerability in Limesurvey 2.05+
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality.
network
limesurvey CWE-79
4.3