Limesurvey: >> Limesurvey >> 3.16.1 Security Vulnerabilities
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
CVSS Score
5.4
EPSS Score
0.006
Published
2019-09-09
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-08-26
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
CVSS Score
9.8
EPSS Score
0.701
Published
2019-03-24
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.
CVSS Score
7.5
EPSS Score
0.021
Published
2012-09-15
Page 4