Limesurvey Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php...
5.4CVSS
5.3AI Score
0.001EPSS
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into....
5.4CVSS
5.3AI Score
0.001EPSS
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP...
9.8CVSS
9.6AI Score
0.003EPSS
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component...
7.2CVSS
7.2AI Score
0.001EPSS
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary...
4.9CVSS
5.2AI Score
0.001EPSS
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can....
8.8CVSS
8.8AI Score
0.001EPSS
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a.....
8.8CVSS
9.1AI Score
0.002EPSS
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search...
8.7AI Score
0.001EPSS
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey...
6AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to...
5.8AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown...
5.9AI Score
0.001EPSS
LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/statistics.php and certain other...
6.3AI Score
0.003EPSS
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted...
6.1CVSS
5.8AI Score
0.001EPSS
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code...
8.8CVSS
9AI Score
0.022EPSS
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges...
6.1CVSS
6AI Score
0.001EPSS
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and...
6.1CVSS
5.9AI Score
0.001EPSS
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in...
6.1CVSS
6.1AI Score
0.001EPSS
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data...
5.4CVSS
5.3AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.002EPSS
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the...
5.4CVSS
5.2AI Score
0.001EPSS
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the...
5.4CVSS
5.2AI Score
0.001EPSS
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When...
5.4CVSS
5.1AI Score
0.001EPSS
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate...
6.1CVSS
6AI Score
0.001EPSS
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey...
5.4CVSS
5.4AI Score
0.002EPSS
9.8CVSS
9.3AI Score
0.876EPSS
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in...
6.1CVSS
5.9AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/...
6.1CVSS
5.9AI Score
0.001EPSS
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper...
7.2CVSS
7.1AI Score
0.001EPSS
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side...
7.5CVSS
7.5AI Score
0.002EPSS
7.5CVSS
7.6AI Score
0.002EPSS
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is...
5.3CVSS
5.8AI Score
0.002EPSS
5.3CVSS
5.6AI Score
0.001EPSS
In Limesurvey before 3.17.14, admin users can mark other users' notifications as...
2.7CVSS
4.3AI Score
0.001EPSS
4.3CVSS
4.9AI Score
0.001EPSS
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the...
5.3CVSS
5.5AI Score
0.002EPSS
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home...
5.4CVSS
5.2AI Score
0.001EPSS
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded...
6.1CVSS
6AI Score
0.001EPSS
In Limesurvey before 3.17.14, admin users can run an integrity check without proper...
2.7CVSS
4.3AI Score
0.001EPSS
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV...
9.8CVSS
9.5AI Score
0.003EPSS
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper...
7.2CVSS
7.1AI Score
0.001EPSS
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data...
8.8CVSS
8.8AI Score
0.007EPSS
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group...
5.4CVSS
5.4AI Score
0.009EPSS
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in...
5.4CVSS
5.4AI Score
0.009EPSS
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an...
7.5CVSS
7.6AI Score
0.001EPSS
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative...
9.8CVSS
9.3AI Score
0.003EPSS
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin...
6.1CVSS
5.8AI Score
0.001EPSS
LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascript code execution against LimeSurvey administrators. Fixed in version...
6.1CVSS
6.3AI Score
0.001EPSS
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to...
6.1CVSS
6.1AI Score
0.001EPSS
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar://...
9.8CVSS
9AI Score
0.267EPSS
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in...
4.3CVSS
4.8AI Score
0.001EPSS