Lucene search

[email protected]CVE-2014-5018

HistoryOct 03, 2022 - 4:20 p.m.

CVE-2014-5018

2022-10-0316:20:42

[email protected]

web.nvd.nist.gov

cve

incomplete blacklist vulnerability

cross-site scripting

xss

limesurvey

gbk charset

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.1%

JSON

Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Affected configurations

NVD

Node

limesurveylimesurveyMatch2.05\+

CPENameOperatorVersion
limesurvey:limesurveylimesurveyeq2.05+

CPE	Name	Operator	Version
limesurvey:limesurvey	limesurvey	eq	2.05+

References

packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html

github.com/LimeSurvey/LimeSurvey/commit/3a6dd6b44cef2fa3f96f403e1cb971d8d0d694b5

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.1%

JSON

Related for CVE-2014-5018

nvd1 cvelist1 prion1