CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28709
https://notcve.org/view.php?id=CVE-2024-28709
07 Oct 2024 — Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields. • http://limesurvey.com •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28710
https://notcve.org/view.php?id=CVE-2024-28710
07 Oct 2024 — Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component. • http://limesurvey.com •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42901
https://notcve.org/view.php?id=CVE-2024-42901
03 Sep 2024 — A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file. • https://github.com/LimeSurvey/LimeSurvey/pull/3884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42902
https://notcve.org/view.php?id=CVE-2024-42902
03 Sep 2024 — An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function • https://bugs.limesurvey.org/view.php?id=19639 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42903
https://notcve.org/view.php?id=CVE-2024-42903
03 Sep 2024 — A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain. • https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+240729...6.6.1+240806 •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7887 – LimeSurvey File Upload index.php denial of service
https://notcve.org/view.php?id=CVE-2024-7887
17 Aug 2024 — A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Hebing123/cve/issues/67 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6933 – LimeSurvey Survey General Settings actionUpdateSurveyLocaleSettingsGeneralSettings sql injection
https://notcve.org/view.php?id=CVE-2024-6933
21 Jul 2024 — A vulnerability was found in LimeSurvey 6.5.14-240624. It has been rated as critical. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. The manipulation of the argument language leads to sql injection. • https://github.com/Hebing123/cve/issues/55 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39063
https://notcve.org/view.php?id=CVE-2024-39063
09 Jul 2024 — Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests. Lime Survey <= 6.5.12 es vulnerable a Cross Site Request Forgery (CSRF). YII_CSRF_TOKEN solo se verifica cuando se pasa en el cuerpo de las solicitudes POST, pero no se realiza la misma verificación en las solicitudes GET equivalentes. • https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-39063 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24506 – LimeSurvey Community 5.3.32 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-24506
26 Mar 2024 — Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. Vulnerabilidad de Cross Site Scripting (XSS) en Lime Survey Community Edition versión v.5.3.32+220817, permite a atacantes remotos ejecutar código arbitrario a través del parámetro de dirección de correo electrónico del administrador en la función de configuración general. LimeSurvey... • https://bugs.limesurvey.org/bug_relationship_graph.php?bug_id=19364&graph=relation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44796
https://notcve.org/view.php?id=CVE-2023-44796
17 Nov 2023 — Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. Vulnerabilidad de Cross Site Scripting (XSS) en LimeSurvey anterior a la versión 6.2.9-230925 permite a un atacante remoto escalar privilegios a través de un script manipulado al componente _generaloptions_panel.php. • https://github.com/Hebing123/CVE-2023-44796/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •