Shodan
Vulnerabilities
Vulnerable Software
Limesurvey:  >> Limesurvey  >> 2.65.2  Security Vulnerabilities
CVE-2024-39063
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-07-09
CVE-2023-44796
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-18
CVE-2022-29710
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-05-25
CVE-2019-25019
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-02-14
CVE-2020-25798
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-11-17
CVE-2020-11455
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
CVSS Score
9.8
EPSS Score
0.936
Published
2020-04-01
CVE-2020-11456
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
CVSS Score
5.4
EPSS Score
0.003
Published
2020-04-01
CVE-2019-17660
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-10-16
CVE-2019-16186
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions.
CVSS Score
7.2
EPSS Score
0.003
Published
2019-09-09
CVE-2019-16187
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-09-09


Products
Pricing
Contact Us

Shodan ® - All rights reserved