Limesurvey Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php...
5.4CVSS
6.5AI Score
0.001EPSS
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into....
5.4CVSS
5.3AI Score
0.001EPSS
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP...
9.8CVSS
9.6AI Score
0.003EPSS
LimeSurvey v5.4.4 was discovered to contain a SQL injection vulnerability via the component...
7.2CVSS
7.2AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted...
6.1CVSS
5.9AI Score
0.001EPSS
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code...
8.8CVSS
9AI Score
0.022EPSS
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges...
6.1CVSS
6AI Score
0.001EPSS
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and...
6.1CVSS
6AI Score
0.001EPSS
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in...
6.1CVSS
6.9AI Score
0.001EPSS
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data...
5.4CVSS
6.5AI Score
0.001EPSS
9.8CVSS
8.6AI Score
0.002EPSS
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the...
5.4CVSS
6.4AI Score
0.001EPSS
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the...
5.4CVSS
6.4AI Score
0.001EPSS
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When...
5.4CVSS
5.2AI Score
0.001EPSS
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate...
6.1CVSS
6.6AI Score
0.001EPSS
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey...
5.4CVSS
5.2AI Score
0.002EPSS
9.8CVSS
9.3AI Score
0.878EPSS
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in...
6.1CVSS
5.9AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/...
6.1CVSS
5.6AI Score
0.001EPSS
7.5CVSS
6.8AI Score
0.002EPSS
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is...
5.3CVSS
7.1AI Score
0.002EPSS
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper...
7.2CVSS
6.8AI Score
0.001EPSS
5.3CVSS
6.8AI Score
0.001EPSS
In Limesurvey before 3.17.14, admin users can mark other users' notifications as...
2.7CVSS
6.8AI Score
0.001EPSS
4.3CVSS
6.8AI Score
0.001EPSS
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded...
6.1CVSS
5.5AI Score
0.001EPSS
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the...
5.3CVSS
6.7AI Score
0.002EPSS
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home...
5.4CVSS
5AI Score
0.001EPSS
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV...
9.8CVSS
7.2AI Score
0.003EPSS
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side...
7.5CVSS
6.7AI Score
0.002EPSS
In Limesurvey before 3.17.14, admin users can run an integrity check without proper...
2.7CVSS
6.8AI Score
0.001EPSS
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper...
7.2CVSS
6.8AI Score
0.001EPSS
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data...
8.8CVSS
7.7AI Score
0.007EPSS
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in...
5.4CVSS
5.1AI Score
0.009EPSS
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group...
5.4CVSS
5.1AI Score
0.009EPSS
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an...
7.5CVSS
6.8AI Score
0.001EPSS
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative...
9.8CVSS
9.3AI Score
0.003EPSS
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin...
6.1CVSS
5.8AI Score
0.001EPSS
LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascript code execution against LimeSurvey administrators. Fixed in version...
6.1CVSS
6.5AI Score
0.001EPSS
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to...
6.1CVSS
6.1AI Score
0.001EPSS
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar://...
9.8CVSS
9.3AI Score
0.267EPSS
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can....
8.8CVSS
7.2AI Score
0.001EPSS
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a.....
8.8CVSS
8AI Score
0.003EPSS
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary...
4.9CVSS
6.7AI Score
0.001EPSS
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in...
4.3CVSS
7.6AI Score
0.001EPSS
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in...
4.8CVSS
7AI Score
0.001EPSS
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration...
9.1CVSS
7AI Score
0.003EPSS
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be...
8.8CVSS
6.9AI Score
0.001EPSS
SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate...
8.8AI Score
0.001EPSS
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid...
8.9AI Score
0.002EPSS