CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44796
https://notcve.org/view.php?id=CVE-2023-44796
17 Nov 2023 — Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. Vulnerabilidad de Cross Site Scripting (XSS) en LimeSurvey anterior a la versión 6.2.9-230925 permite a un atacante remoto escalar privilegios a través de un script manipulado al componente _generaloptions_panel.php. • https://github.com/Hebing123/CVE-2023-44796/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48008
https://notcve.org/view.php?id=CVE-2022-48008
27 Jan 2023 — An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. Una vulnerabilidad de carga de archivos arbitrarios en el administrador de complementos de LimeSurvey v5.4.15 permite a los atacantes ejecutar código arbitrario a través de un archivo PHP manipulado. • https://github.com/Sakura-501/LimeSurvey-5.4.15-PluginUploadtoRCE • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48010
https://notcve.org/view.php?id=CVE-2022-48010
27 Jan 2023 — LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Welcome-message text fields. NOTE: the vendor indicates that this is not a vulnerability because the manipulation requires Superadministrator privileges, and Superadministrators are already allo... • https://github.com/Sakura-501/LimeSurvey-5.4.15-Stored-XSS-in-surveytexts • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43279
https://notcve.org/view.php?id=CVE-2022-43279
15 Nov 2022 — LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. Se descubrió que LimeSurvey v5.4.4 contiene una vulnerabilidad de inyección SQL a través del componente /application/views/themeOptions/update.php. • https://brick-pamphlet-d24.notion.site/LimeSurvey-V5-4-4-background-update-php-SQL-injection-50e8fd6eba4644bb941b2c8d6fb7979a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29710
https://notcve.org/view.php?id=CVE-2022-29710
24 May 2022 — A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo uploadConfirm.php de LimeSurvey versiones v5.3.9 y anteriores, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de un plugin diseñado • https://github.com/LimeSurvey/LimeSurvey/commit/f7b35619a1c4b0893754594c7d5870fd599a0f9c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 3CVE-2021-44967
https://notcve.org/view.php?id=CVE-2021-44967
22 Feb 2022 — A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. Se presenta una vulnerabilidad de Ejecución de Código Remota (RCE) en LimeSurvey versión 5.2.4 por medio de la función upload and install plugins, que podría permitir a un usuario remoto malicioso cargar un archivo de código PHP arbitrario • https://github.com/D3Ext/LimeSurvey-RCE • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10228
https://notcve.org/view.php?id=CVE-2018-10228
14 Dec 2021 — Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo /application/controller/admin/theme.php en LimeSurvey versión 3.6.2+180406, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del parámetro changes_cp al U... • http://limesurvey.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-42112
https://notcve.org/view.php?id=CVE-2021-42112
08 Oct 2021 — The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js. La funcionalidad "File upload question" en LimeSurvey versiones 3.x-LTS hasta 3.27.18, permite un ataque de tipo XSS en assets/scripts/modaldialog.js y assets/scripts/uploader.js • https://bugs.limesurvey.org/view.php?id=17562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-22607
https://notcve.org/view.php?id=CVE-2020-22607
28 Jun 2021 — Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php. Una vulnerabilidad de tipo Cross Site Scripting en LimeSurvey versión 4.1.11+200316, por medio de los parámetros (1) name y (2) description en el archivo application/controllers/admin/PermissiontemplatesController.php • https://github.com/LimeSurvey/LimeSurvey/commit/2aada33c76efbbc35d33c149ac02b1dc16a81f62 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23710
https://notcve.org/view.php?id=CVE-2020-23710
28 Jun 2021 — Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en LimeSurvey versión 4.2.5, en el textbox por medio de la funcionalidad Notifications & data • https://github.com/LimeSurvey/LimeSurvey/pull/1441#partial-pull-merging • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •