CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16185
https://notcve.org/view.php?id=CVE-2019-16185
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden visualizar, actualizar o eliminar entradas de menú reservadas sin permisos apropiados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R51 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-276: Incorrect Default Permissions •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16186
https://notcve.org/view.php?id=CVE-2019-16186
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions. En Limesurvey versiones anteriores a 3.17.14, usuarios administradores pueden acceder al administrador de plugins sin permisos apropiados. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R49 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16187
https://notcve.org/view.php?id=CVE-2019-16187
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script. Limesurvey versiones anteriores a 3.17.14, utiliza una cookie anti-CSRF sin el flag HttpOnly, lo que permite a atacantes acceder a un valor de cookie por medio de un script del lado del cliente. • https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R48 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-16172 – LimeSurvey 3.17.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16172
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. LimeSurvey versiones anteriores a v3.17.14, permite un ataque de tipo XSS almacenado para escalar los privilegios desde una cuenta con pocos privilegios para, por ejemplo, SuperAdmin. El ataque utiliza un grupo de encuesta en el que el título contiene JavaScript que es manejado inapropiadamente tras eliminar el grupo. LimeSurvey versions 3.17.13 and below suffer from reflective and persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47386 http://packetstormsecurity.com/files/154479/LimeSurvey-3.17.13-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Sep/22 https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://seclists.org/bugtraq/2019/Sep/27 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2019-16173 – LimeSurvey 3.17.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16173
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php, LimeSurvey versiones anteriores a v3.17.14, permite un ataque de tipo XSS reflejado para escalar los privilegios desde una cuenta con pocos privilegios para, por ejemplo, SuperAdmin. Esto ocurre en el archivo application/core/Survey_Common_Action.php. LimeSurvey versions 3.17.13 and below suffer from reflective and persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47386 http://packetstormsecurity.com/files/154479/LimeSurvey-3.17.13-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Sep/22 https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 https://seclists.org/bugtraq/2019/Sep/27 https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •