CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25798
https://notcve.org/view.php?id=CVE-2020-25798
17 Nov 2020 — A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en LimeSurvey version... • https://bugs.limesurvey.org/view.php?id=15672 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-16192
https://notcve.org/view.php?id=CVE-2020-16192
05 Aug 2020 — LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters. LimeSurvey versión 4.3.2, permite un ataque de tipo XSS reflejado porque el archivo application/controllers/LSBaseController.php carece de código para comprobar los parámetros • https://github.com/LimeSurvey/LimeSurvey/pull/1479/commits/4109a8d157e46c48ca34b995ef61a6e0f6905236 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 92%CPEs: 3EXPL: 2CVE-2020-11455 – LimeSurvey 4.1.11 - 'File Manager' Path Traversal
https://notcve.org/view.php?id=CVE-2020-11455
01 Apr 2020 — LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey versiones anteriores a 4.1.12+200324, contiene una vulnerabilidad de salto de ruta en el archivo application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey version 4.1.11 suffers from a File Manager path traversal vulnerability. • https://www.exploit-db.com/exploits/48297 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 2CVE-2020-11456 – LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11456
01 Apr 2020 — LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). LimeSurvey versiones anteriores a 4.1.12+200324, presenta una vulnerabilidad de tipo XSS almacenado en los archivos application/views/admin/surveysgroups/surveySettings.php y application/models/SurveysGroups.php (también se conoce como survey groups). LimeSurvey version 4.1.11 suffers from a Survey Groups persistent cross site scripting vuln... • https://www.exploit-db.com/exploits/48289 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14512
https://notcve.org/view.php?id=CVE-2019-14512
16 Mar 2020 — LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. LimeSurvey versiones 3.17.7+190627, presenta una vulnerabilidad de tipo XSS por medio de Boxes en el archivo application/extensions/PanelBoxWidget/views/box.php o un título de etiqueta en el archivo application/views/admin/labels/labelview_view.php. • https://github.com/LimeSurvey/LimeSurvey/commit/0b7391dff91b326284ca3fc5188b768b5d522d88 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17660
https://notcve.org/view.php?id=CVE-2019-17660
16 Oct 2019 — A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/translate/translateheader_view.php en LimeSurvey versión 3.19.1 y anteriores, permite a atacantes remotos inyectar script web o HTML arbit... • https://github.com/kbgsft/vuln-limesurvey/wiki/Reflected-XSS-in-LimeSurvey-3.19.1-by-xcuter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16174
https://notcve.org/view.php?id=CVE-2019-16174
09 Sep 2019 — An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. Se encontró una vulnerabilidad de inyección XML en Limesurvey versiones anteriores a 3.17.14, que permite a atacantes remotos importar archivos XML especialmente diseñados y ejecutar código o comprometer la integridad de los datos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R40 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16175
https://notcve.org/view.php?id=CVE-2019-16175
09 Sep 2019 — A clickjacking vulnerability was found in Limesurvey before 3.17.14. Se encontró una vulnerabilidad de secuestro de cliqueo en Limesurvey versiones anteriores a 3.17.14. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R41 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16176
https://notcve.org/view.php?id=CVE-2019-16176
09 Sep 2019 — A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem. Se encontró una vulnerabilidad de divulgación de ruta (path) en Limesurvey versiones anteriores a 3.17.14, que permite a un atacante remoto descubrir la ruta para la aplicación en el sistema de archivos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R43 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16177
https://notcve.org/view.php?id=CVE-2019-16177
09 Sep 2019 — In Limesurvey before 3.17.14, the entire database is exposed through browser caching. En Limesurvey versiones anteriores a 3.17.14, la base de datos completa es expuesta por medio del almacenamiento en caché del navegador. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R53 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •