CVSS: 9.8EPSS: 91%CPEs: 3EXPL: 2CVE-2020-11455 – LimeSurvey 4.1.11 - 'File Manager' Path Traversal
https://notcve.org/view.php?id=CVE-2020-11455
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey versiones anteriores a 4.1.12+200324, contiene una vulnerabilidad de salto de ruta en el archivo application/controllers/admin/LimeSurveyFileManager.php. LimeSurvey version 4.1.11 suffers from a File Manager path traversal vulnerability. • https://www.exploit-db.com/exploits/48297 http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.html https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b https://www.secsignal.org/en/news/cve-2019-9960-arbitrary-file-download-in-limesurvey https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 2CVE-2020-11456 – LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11456
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). LimeSurvey versiones anteriores a 4.1.12+200324, presenta una vulnerabilidad de tipo XSS almacenado en los archivos application/views/admin/surveysgroups/surveySettings.php y application/models/SurveysGroups.php (también se conoce como survey groups). LimeSurvey version 4.1.11 suffers from a Survey Groups persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/48289 http://packetstormsecurity.com/files/157114/LimeSurvey-4.1.11-Cross-Site-Scripting.html https://github.com/LimeSurvey/LimeSurvey/commit/04b118acce2a74306f365ef329cbe00efc399b26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14512
https://notcve.org/view.php?id=CVE-2019-14512
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. LimeSurvey versiones 3.17.7+190627, presenta una vulnerabilidad de tipo XSS por medio de Boxes en el archivo application/extensions/PanelBoxWidget/views/box.php o un título de etiqueta en el archivo application/views/admin/labels/labelview_view.php. • https://github.com/LimeSurvey/LimeSurvey/commit/0b7391dff91b326284ca3fc5188b768b5d522d88 https://github.com/LimeSurvey/LimeSurvey/commit/f2566f6978a77e3f0870079c45cda1c065a58a73 https://www.limesurvey.org https://www.linkedin.com/in/michelecisternino • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17660
https://notcve.org/view.php?id=CVE-2019-17660
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/translate/translateheader_view.php en LimeSurvey versión 3.19.1 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro tolang, como es demostrado por el parámetro PATH_INFO del index.php/admin/translate/sa/index/surveyid/336819/lang/. • https://github.com/kbgsft/vuln-limesurvey/wiki/Reflected-XSS-in-LimeSurvey-3.19.1-by-xcuter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16174
https://notcve.org/view.php?id=CVE-2019-16174
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. Se encontró una vulnerabilidad de inyección XML en Limesurvey versiones anteriores a 3.17.14, que permite a atacantes remotos importar archivos XML especialmente diseñados y ejecutar código o comprometer la integridad de los datos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R40 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-611: Improper Restriction of XML External Entity Reference •