| CVE-2018-1000658 |
BDSA-2018-3111 |
High |
Sep 06, 2018 |
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution v
more...
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can be called under certain circumstances. This vulnerability appears to have been fixed in after commit 91d143230eb357260a19c8424b3005deb49a47f7 / version 3.14.4.
less...
|
2.2.5, 3.3.1, 3.1.0, 1.1.0, 1.91, 1.87, 1.86, 1.85, 1.82, 1.81
|
| CVE-2017-18358 |
BDSA-2017-3665 |
Medium |
Jan 15, 2019 |
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the ad
more...
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel.
less...
|
2.2.5, 1.1.0, 1.91, 1.87, 1.86, 1.85, 1.82, 1.81, 1.80, 1.72
|
| CVE-2015-4628 |
|
|
Jun 18, 2015 |
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated adm
more...
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.
less...
|
2.2.5, 1.1.0, 1.91, 1.87, 1.86, 1.85, 1.82, 1.81, 1.80, 1.72
|
| BDSA-2022-3854 |
|
Medium |
Jan 31, 2023 |
LimeSurvey is vulnerable to stored cross-site scripting (XSS). This could allow an authenticated attacker with administrator privileges to execute arbi
more...
LimeSurvey is vulnerable to stored cross-site scripting (XSS). This could allow an authenticated attacker with administrator privileges to execute arbitrary code and obtain sensitive information such as authentication tokens and user session cookies or manipulate how pages are rendered.
**Note**: the vendor has stated they do not consider this a vulnerability because the manipulation requires Superadministrator privileges, and Superadministrators are already allowed to customize surveys with JavaScript as they wish.
less...
|
|
| BDSA-2022-3469 |
|
Medium |
Dec 06, 2022 |
LimeSurvey is vulnerable to blind SQL injection (SQLi) due to the improper validation of client-provided request parameters. This allows a remote attac
more...
LimeSurvey is vulnerable to blind SQL injection (SQLi) due to the improper validation of client-provided request parameters. This allows a remote attacker to extract, modify, and delete information from the database associated with the application.
less...
|
|
| BDSA-2021-4159 |
|
Medium |
Feb 24, 2022 |
LimeSurvey is vulnerable to remote code execution (RCE) via the plugin upload functionality. An attacker with administrator privileges could upload a m
more...
LimeSurvey is vulnerable to remote code execution (RCE) via the plugin upload functionality. An attacker with administrator privileges could upload a malicious plugin archive that would create a new page on the website. Accessing the page would allow remotely executing arbitrary OS commands on the host.
less...
|
|
| BDSA-2021-3783 |
|
Medium |
Dec 16, 2021 |
LimeSurvey contains a cross-site scripting (XSS) vulnerability due to unsanitized user input. A remote attacker can exploit this to steal a victim's se
more...
LimeSurvey contains a cross-site scripting (XSS) vulnerability due to unsanitized user input. A remote attacker can exploit this to steal a victim's session tokens, cookies and other sensitive information.
less...
|
|
| BDSA-2020-4492 |
|
High |
Jun 29, 2021 |
LimeSurvey is vulnerable to reflected cross-site scripting (XSS) due to improper validation of user-supplied input in the `Notifications & data` featur
more...
LimeSurvey is vulnerable to reflected cross-site scripting (XSS) due to improper validation of user-supplied input in the `Notifications & data` feature. An attacker with administrative privileges could inject arbitrary web scripts into the vulnerable field and steal sensitive information such as authentication tokens and user session cookies.
less...
|
|
| BDSA-2020-4491 |
|
High |
Jun 29, 2021 |
LimeSurvey is vulnerable to stored cross-site scripting (XSS) due to improper validation of user-supplied input. This could allow an attacker to inject
more...
LimeSurvey is vulnerable to stored cross-site scripting (XSS) due to improper validation of user-supplied input. This could allow an attacker to inject arbitrary web scripts and steal sensitive information such as authentication tokens and user session cookies.
less...
|
|
| BDSA-2020-3965 |
|
High |
Jan 01, 2021 |
LimeSurvey is vulnerable to a stored cross-site scripting (XSS) issue. An attacker could use this to execute arbitrary script code in the context of a
more...
LimeSurvey is vulnerable to a stored cross-site scripting (XSS) issue. An attacker could use this to execute arbitrary script code in the context of a user's browser, leading to the theft of session cookies or other sensitive information.
less...
|
|
