CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16184
https://notcve.org/view.php?id=CVE-2019-16184
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. Se encontró una vulnerabilidad de inyección CSV en Limesurvey versiones anteriores a 3.17.14, que permite a los participantes de la encuesta inyectar comandos por medio de sus respuestas a la encuesta que se incluirán en el archivo CSV de exportación. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R46 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16185
https://notcve.org/view.php?id=CVE-2019-16185
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden visualizar, actualizar o eliminar entradas de menú reservadas sin permisos apropiados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R51 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-276: Incorrect Default Permissions •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16186
https://notcve.org/view.php?id=CVE-2019-16186
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden acceder al administrador de plugins sin permisos apropiados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R49 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16187
https://notcve.org/view.php?id=CVE-2019-16187
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script. Limesurvey versiones anteriores a 3.17.14, utiliza una cookie anti-CSRF sin el flag HttpOnly, lo que permite a atacantes acceder a un valor de cookie por medio de un script del lado del cliente. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R48 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-16172 – LimeSurvey 3.17.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16172
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. LimeSurvey versiones anteriores a v3.17.14, permite un ataque de tipo XSS almacenado para escalar los privilegios desde una cuenta con pocos privilegios para, por ejemplo, SuperAdmin. El ataque utiliza un grupo de encuesta en el que el título contiene JavaScript que es manejado inapropiadamente tras eliminar el grupo. LimeSurvey versions 3.17.13 and below suffer from reflective and persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47386 http://packetstormsecurity.com/files/154479/LimeSurvey-3.17.13-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Sep/22 https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://seclists.org/bugtraq/2019/Sep/27 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •