CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15640
https://notcve.org/view.php?id=CVE-2019-15640
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image. Limesurvey versiones anteriores a 3.17.10, no valida tanto el tipo MIME como la extensión de archivo de una imagen. • https://github.com/LimeSurvey/LimeSurvey/commit/0479e3ff93ff1473a25c71e83cc011920b072b4c#diff-d539f3f8185667ee48db78e1bf65a3b4R43 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9960 – LimeSurvey Zip Path Traversals
https://notcve.org/view.php?id=CVE-2019-9960
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path. La función downloadZip en application/controllers/admin/export.php en LimeSurvey, hasta la versión 3.16.1+190225, permite una ruta relativa. • https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8 https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b https://www.secsignal.org/en/news/cve-2019-9960-arbitrary-file-download-in-limesurvey • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18358
https://notcve.org/view.php?id=CVE-2017-18358
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel. LimeSurvey en versiones anteriores a la 2.72.4 tiene Cross-Site Scripting (XSS) persistente mediante el uso de la característica "Continue Later" (también conocida como "Resume later") para introducir una dirección de correo electrónico, que se gestiona de manera incorrecta en el panel de administración. • https://blog.ripstech.com/2018/limesurvey-persistent-xss-to-code-execution https://github.com/LimeSurvey/LimeSurvey/commit/700b20e2ae918550bfbf283f433f07622480978b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20322
https://notcve.org/view.php?id=CVE-2018-20322
LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascript code execution against LimeSurvey administrators. Fixed in version 3.15.6. LimeSurvey, en su versión 3.15.5, contiene una vulnerabilidad de Cross Site Scripting (XSS) en la subida del zip "Survey Resource" que puede resultar en la ejecución de código JavaScript contra los administradores de LimeSurvey. Esto se solucionó en la versión 3.15.6. • https://bugs.limesurvey.org/view.php?id=14376 https://github.com/LimeSurvey/LimeSurvey/commit/bfee69edaa0b90f97dc2d8fab09a87958cb32405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17003 – LimeSurvey 3.14.7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-17003
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. En LimeSurvey 3.14.7, se han descubierto una inyección HTML y Cross-Site Scripting (XSS) persistente en el apéndice mediante el parámetro surveyls_title en /index.php?r=admin/survey/sa/insert. LimeSurvey version 3.14.7 suffers from cross site scripting and html injection vulnerabilities. • http://packetstormsecurity.com/files/149435/LimeSurvey-3.14.7-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •