CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16397
https://notcve.org/view.php?id=CVE-2018-16397
03 Sep 2018 — In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file, En LimeSurvey en versiones anteriores a la 3.14.7, un usuario administrador puede aprovechar una pregunta "file upload" para leer un archivo arbitrario. • https://github.com/LimeSurvey/LimeSurvey/blob/3be9b41e76826b57f5860d18d93b23f47d59d2e4/docs/release_notes.txt#L51 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000514
https://notcve.org/view.php?id=CVE-2018-1000514
26 Jun 2018 — LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. LimeSurvey 3.0.0-beta.3+17110 contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Boxes que puede resultar en un CSRF que provoque que los administradores CSRF eliminen las boxes. La vulnerabilidad parece haber sido solucionada en las versiones 3.6.x. • https://bugs.limesurvey.org/plugin.php?page=Source/view&id=26925 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000513
https://notcve.org/view.php?id=CVE-2018-1000513
26 Jun 2018 — LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x. LimeSurvey, en su versión 3.0.0-beta.3+17110, contiene una vulnerabilidad de Cross Site Scripting (XSS) en Boxes que puede resultar en la ejecución de código JavaScript contra los administradores de LimeSurvey. La vulnerabilidad parece haber sido solucionada en las versiones 3.6.x. • https://bugs.limesurvey.org/view.php?id=13560 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-7556
https://notcve.org/view.php?id=CVE-2018-7556
28 Feb 2018 — LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file. LimeSurvey, en versiones 2.6.x anteriores a la 2.6.7; versiones 2.7x.x anteriores a la 2.73.1 y versiones 3.x anteriores a la 3.4.2, gestiona de manera incorrecta application/controller/InstallerController.php tras la instalación. Esto permite que atacantes remotos accedan al archivo de configur... • https://www.limesurvey.org/about-us/news/2075-limesurvey-security-advisory-02-2018 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000053
https://notcve.org/view.php?id=CVE-2018-1000053
09 Feb 2018 — LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. LimeSurvey 3.0.0-beta.3+17110 contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Theme Uninstallation que puede resultar en un CSRF que provoque ... • https://github.com/LimeSurvey/LimeSurvey/commit/1e440208a8d8bfd71ad7802e6369a136e8bba3dd • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5078
https://notcve.org/view.php?id=CVE-2015-5078
28 Jun 2015 — SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter. Vulnerabilidad de inyección SQL en la función de insertar en application/controllers/admin/dataentry.php en LimeSurvey 2.06+ permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro closedate. • http://www.securityfocus.com/bid/75440 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4628
https://notcve.org/view.php?id=CVE-2015-4628
18 Jun 2015 — SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter. Vulnerabilidad de inyección SQL en application/controllers/admin/questiongroups.php en LimeSurvey anterior a 2.06+ Build 150618 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro sid. • http://www.securityfocus.com/bid/75301 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5016
https://notcve.org/view.php?id=CVE-2014-5016
21 Jul 2014 — Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality. Múltiples vulnerabilidades de XSS en LimeSurvey 2.05+ Build 140618 permiten a atacantes remotos inyectar s... • http://packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5017
https://notcve.org/view.php?id=CVE-2014-5017
21 Jul 2014 — SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter. Vulnerabilidad de inyección SQL en CPDB en application/controllers/admin/participantsaction.php en LimeSurvey 2.05+ Build 140618 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del paráme... • http://packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5018
https://notcve.org/view.php?id=CVE-2014-5018
21 Jul 2014 — Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume. Vulnerabilidad de lista negra incompleta en la función autoEscape en common_helper.php en LimeSurvey 2.05+ Build 140618 permite a atacantes remotos realizar ataques de XSS a través del juego de caracteres GBK en el parámetro loadname en... • http://packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html •