CVE-2021-44967
https://notcve.org/view.php?id=CVE-2021-44967
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. Se presenta una vulnerabilidad de Ejecución de Código Remota (RCE) en LimeSurvey versión 5.2.4 por medio de la función upload and install plugins, que podría permitir a un usuario remoto malicioso cargar un archivo de código PHP arbitrario • https://github.com/Y1LD1R1M-1337/Limesurvey-RCE https://www.exploit-db.com/exploits/50573 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-10228
https://notcve.org/view.php?id=CVE-2018-10228
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo /application/controller/admin/theme.php en LimeSurvey versión 3.6.2+180406, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del parámetro changes_cp al URI index.php/admin/themes/sa/templatesavechanges • http://limesurvey.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42112
https://notcve.org/view.php?id=CVE-2021-42112
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js. La funcionalidad "File upload question" en LimeSurvey versiones 3.x-LTS hasta 3.27.18, permite un ataque de tipo XSS en assets/scripts/modaldialog.js y assets/scripts/uploader.js • https://bugs.limesurvey.org/view.php?id=17562 https://github.com/LimeSurvey/LimeSurvey/commit/d56619a50cfd191bbffd0adb660638a5e438070d https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_limesurvey_-_cve-2021-42112.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-22607
https://notcve.org/view.php?id=CVE-2020-22607
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php. Una vulnerabilidad de tipo Cross Site Scripting en LimeSurvey versión 4.1.11+200316, por medio de los parámetros (1) name y (2) description en el archivo application/controllers/admin/PermissiontemplatesController.php • https://github.com/LimeSurvey/LimeSurvey/commit/2aada33c76efbbc35d33c149ac02b1dc16a81f62 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-23710
https://notcve.org/view.php?id=CVE-2020-23710
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en LimeSurvey versión 4.2.5, en el textbox por medio de la funcionalidad Notifications & data • https://github.com/LimeSurvey/LimeSurvey/pull/1441#partial-pull-merging • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •