Limesurvey: >> Limesurvey >> 1.70+ Security Vulnerabilities
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
CVSS Score
5.4
EPSS Score
0.001
Published
2026-01-28
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
CVSS Score
6.1
EPSS Score
0.008
Published
2024-10-07
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-10-07
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
CVSS Score
4.8
EPSS Score
0.002
Published
2024-09-03
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-03
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-09-03
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-07-09
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-18
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-05-25
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-02-14
Page 1