CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-7556
https://notcve.org/view.php?id=CVE-2018-7556
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file. LimeSurvey, en versiones 2.6.x anteriores a la 2.6.7; versiones 2.7x.x anteriores a la 2.73.1 y versiones 3.x anteriores a la 3.4.2, gestiona de manera incorrecta application/controller/InstallerController.php tras la instalación. Esto permite que atacantes remotos accedan al archivo de configuración. • https://www.limesurvey.org/about-us/news/2075-limesurvey-security-advisory-02-2018 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000053
https://notcve.org/view.php?id=CVE-2018-1000053
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. LimeSurvey 3.0.0-beta.3+17110 contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Theme Uninstallation que puede resultar en un CSRF que provoque que los administradores de LimeSurvey eliminen todos sus temas, lo que hace que el sitio web quede inutilizable. El ataque parece ser explotable mediante marcas HTML simples que pueden emplearse para enviar una petición GET al endpoint afectado. • https://github.com/LimeSurvey/LimeSurvey/commit/1e440208a8d8bfd71ad7802e6369a136e8bba3dd • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5078
https://notcve.org/view.php?id=CVE-2015-5078
SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter. Vulnerabilidad de inyección SQL en la función de insertar en application/controllers/admin/dataentry.php en LimeSurvey 2.06+ permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro closedate. • http://www.securityfocus.com/bid/75440 https://bugs.limesurvey.org/plugin.php?page=Source/view&id=15509 https://bugs.limesurvey.org/view.php?id=9720 https://github.com/LimeSurvey/LimeSurvey/commit/65d717415a271242b9a30a5330d4eabac1c1a837 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4628
https://notcve.org/view.php?id=CVE-2015-4628
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter. Vulnerabilidad de inyección SQL en application/controllers/admin/questiongroups.php en LimeSurvey anterior a 2.06+ Build 150618 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro sid. • http://www.securityfocus.com/bid/75301 https://bugs.limesurvey.org/view.php?id=9694 https://github.com/LimeSurvey/LimeSurvey/commit/b09edc0dbd18d8459ade4c7c941e562c16564f9e https://github.com/LimeSurvey/LimeSurvey/commit/e15861a65b7028adfc23ef6af8563f645e318548 https://github.com/LimeSurvey/LimeSurvey/pull/331 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5017
https://notcve.org/view.php?id=CVE-2014-5017
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter. Vulnerabilidad de inyección SQL en CPDB en application/controllers/admin/participantsaction.php en LimeSurvey 2.05+ Build 140618 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro sidx en una solicitud JSON en admin/participants/sa/getParticipants_json, relacionado con un parámetro de búsqueda. • http://packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html https://github.com/LimeSurvey/LimeSurvey/commit/9938bcd1df8ea27052557c722a67b00c0e7d6cb6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •