Lucene search

[email protected]CVE-2014-5017

HistoryOct 03, 2022 - 4:20 p.m.

CVE-2014-5017

2022-10-0316:20:43

CWE-89

[email protected]

web.nvd.nist.gov

cve-2014-5017

sql injection

cpdb

limesurvey

security vulnerability

remote attackers

json request

admin participants

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.1%

JSON

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.

Affected configurations

NVD

Node

limesurveylimesurveyMatch2.05\+

CPENameOperatorVersion
limesurvey:limesurveylimesurveyeq2.05+

CPE	Name	Operator	Version
limesurvey:limesurvey	limesurvey	eq	2.05+

References

packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html

github.com/LimeSurvey/LimeSurvey/commit/9938bcd1df8ea27052557c722a67b00c0e7d6cb6

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.1%

JSON

Related for CVE-2014-5017

nvd1 cvelist1 prion1