52 matches found
CVE-2026-50635
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default and documented configuration, so LSHttpRequest::checkIsAllowedHost results in no operation....
CVE-2026-50635
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default and documented configuration, so LSHttpRequest::checkIsAllowedHost results in no operation....
CVE-2025-63238
A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...
CVE-2025-63238
A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...
LimeSurvey(PHPSurveyor) 安全漏洞
LimeSurvey PHPSurveyor is a set of open-source online survey programs developed by the LimeSurvey team. It supports functions such as survey program development, survey questionnaire publishing, and data collection. Versions of LimeSurvey PHPSurveyor prior to 6.15.11+250909 had security...
CVE-2025-63238
A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...
CVE-2025-56421
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...
SQL Injection
Overview limesurvey/limesurvey is a FOSS online survey tool on the web. Affected versions of this package are vulnerable to SQL Injection via the statistics module. An attacker can access sensitive information by injecting malicious SQL statements. Remediation Upgrade limesurvey/limesurvey to...
LimeSurvey is vulnerable to SQL injection
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...
CVE-2025-56421
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...
LimeSurvey 安全漏洞
LimeSurvey PHPSurveyor is a set of open-source online survey programs developed by the LimeSurvey team. It supports functions such as survey program development, survey questionnaire publishing, and data collection. Versions of LimeSurvey prior to 6.15.0+250623 had security vulnerabilities, which...
CVE-2025-56421
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...
CVE-2024-39063
Lime Survey = 6.5.12 is vulnerable to Cross Site Request Forgery CSRF. The YIICSRFTOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests...
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...
CVE-2025-41074
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service DoS attack, by exhausting server or client resources. The system is unable to break the redirect loop, which ca...
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...
BIT-LIMESURVEY-2024-42901
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file...
CVE-2024-42901
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file...
CVE-2024-24506
Cross Site Scripting XSS vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function...
PT-2024-22530 · Unknown · Limesurvey
Name of the Vulnerable Software and Affected Versions: LimeSurvey versions prior to 6.5.12+240611 Description: A Cross Site Scripting vulnerability allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields. This issue enables the execution of arbitrar...