CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17660
https://notcve.org/view.php?id=CVE-2019-17660
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/translate/translateheader_view.php en LimeSurvey versión 3.19.1 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro tolang, como es demostrado por el parámetro PATH_INFO del index.php/admin/translate/sa/index/surveyid/336819/lang/. • https://github.com/kbgsft/vuln-limesurvey/wiki/Reflected-XSS-in-LimeSurvey-3.19.1-by-xcuter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16174
https://notcve.org/view.php?id=CVE-2019-16174
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. Se encontró una vulnerabilidad de inyección XML en Limesurvey versiones anteriores a 3.17.14, que permite a atacantes remotos importar archivos XML especialmente diseñados y ejecutar código o comprometer la integridad de los datos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R40 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16175
https://notcve.org/view.php?id=CVE-2019-16175
A clickjacking vulnerability was found in Limesurvey before 3.17.14. Se encontró una vulnerabilidad de secuestro de cliqueo en Limesurvey versiones anteriores a 3.17.14. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R41 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16176
https://notcve.org/view.php?id=CVE-2019-16176
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem. Se encontró una vulnerabilidad de divulgación de ruta (path) en Limesurvey versiones anteriores a 3.17.14, que permite a un atacante remoto descubrir la ruta para la aplicación en el sistema de archivos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R43 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16177
https://notcve.org/view.php?id=CVE-2019-16177
In Limesurvey before 3.17.14, the entire database is exposed through browser caching. En Limesurvey versiones anteriores a 3.17.14, la base de datos completa es expuesta por medio del almacenamiento en caché del navegador. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R53 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •