CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16175
https://notcve.org/view.php?id=CVE-2019-16175
A clickjacking vulnerability was found in Limesurvey before 3.17.14. Se encontró una vulnerabilidad de secuestro de cliqueo en Limesurvey versiones anteriores a 3.17.14. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R41 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16176
https://notcve.org/view.php?id=CVE-2019-16176
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem. Se encontró una vulnerabilidad de divulgación de ruta (path) en Limesurvey versiones anteriores a 3.17.14, que permite a un atacante remoto descubrir la ruta para la aplicación en el sistema de archivos. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R43 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16177
https://notcve.org/view.php?id=CVE-2019-16177
In Limesurvey before 3.17.14, the entire database is exposed through browser caching. En Limesurvey versiones anteriores a 3.17.14, la base de datos completa es expuesta por medio del almacenamiento en caché del navegador. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R53 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16178
https://notcve.org/view.php?id=CVE-2019-16178
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page. Se encontró una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en Limesurvey versiones anteriores a 3.17.14, que permite a usuarios autenticados con permisos correctos inyectar script web o HTML arbitrario por medio de los títulos de los botones del cuadro de administración en la página principal. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R39 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16179
https://notcve.org/view.php?id=CVE-2019-16179
Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration. Limesurvey versiones anteriores a 3.17.14, no aplica el uso de SSL/TLS en la configuración predeterminada. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R42 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-295: Improper Certificate Validation •