CVSS: 9.8EPSS: 91%CPEs: 3EXPL: 2CVE-2020-11455 – LimeSurvey 4.1.11 - 'File Manager' Path Traversal
https://notcve.org/view.php?id=CVE-2020-11455
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey versiones anteriores a 4.1.12+200324, contiene una vulnerabilidad de salto de ruta en el archivo application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey version 4.1.11 suffers from a File Manager path traversal vulnerability. • https://www.exploit-db.com/exploits/48297 http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.html https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b https://www.secsignal.org/en/news/cve-2019-9960-arbitrary-file-download-in-limesurvey https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 2CVE-2020-11456 – LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11456
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). LimeSurvey versiones anteriores a 4.1.12+200324, presenta una vulnerabilidad de tipo XSS almacenado en los archivos application/views/admin/surveysgroups/surveySettings.php y application/models/SurveysGroups.php (también se conoce como survey groups). LimeSurvey version 4.1.11 suffers from a Survey Groups persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/48289 http://packetstormsecurity.com/files/157114/LimeSurvey-4.1.11-Cross-Site-Scripting.html https://github.com/LimeSurvey/LimeSurvey/commit/04b118acce2a74306f365ef329cbe00efc399b26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17660
https://notcve.org/view.php?id=CVE-2019-17660
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/translate/translateheader_view.php en LimeSurvey versión 3.19.1 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro tolang, como es demostrado por el parámetro PATH_INFO del index.php/admin/translate/sa/index/surveyid/336819/lang/. • https://github.com/kbgsft/vuln-limesurvey/wiki/Reflected-XSS-in-LimeSurvey-3.19.1-by-xcuter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16174
https://notcve.org/view.php?id=CVE-2019-16174
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. Se encontró una vulnerabilidad de inyección XML en Limesurvey versiones anteriores a 3.17.14, que permite a atacantes remotos importar archivos XML especialmente diseñados y ejecutar código o comprometer la integridad de los datos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R40 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16175
https://notcve.org/view.php?id=CVE-2019-16175
A clickjacking vulnerability was found in Limesurvey before 3.17.14. Se encontró una vulnerabilidad de secuestro de cliqueo en Limesurvey versiones anteriores a 3.17.14. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R41 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •