CVE-2019-16179
https://notcve.org/view.php?id=CVE-2019-16179
Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration. Limesurvey versiones anteriores a 3.17.14, no aplica el uso de SSL/TLS en la configuración predeterminada. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R42 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-295: Improper Certificate Validation •
CVE-2019-16180
https://notcve.org/view.php?id=CVE-2019-16180
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used. Limesurvey versiones anteriores a 3.17.14, permite a atacantes remotos aplicar fuerza bruta en el formulario de inicio de sesión y enumerar los nombres de usuario cuando el método de autenticación LDAP es usado. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R44 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released •
CVE-2019-16181
https://notcve.org/view.php?id=CVE-2019-16181
In Limesurvey before 3.17.14, admin users can mark other users' notifications as read. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden marcar las notificaciones de otros usuarios como leídas. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R52 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released •
CVE-2019-16182
https://notcve.org/view.php?id=CVE-2019-16182
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files. Se encontró una vulnerabilidad de tipo cross-site scripting (XSS) reflejada en Limesurvey versiones anteriores a 3.17.14, que permite a atacantes remotos inyectar script web o HTML arbitrario por medio de extensiones de archivos cargados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R57 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-16183
https://notcve.org/view.php?id=CVE-2019-16183
In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden ejecutar una comprobación de integridad sin los permisos apropiados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R50 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-276: Incorrect Default Permissions •