LimesurveyCVEs & Vulnerabilities

77 CVEs affecting Limesurvey products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

limesurvey 136
CVE-2019-16172MEDIUMpoc

LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.

9 Sep 2019
5.4
CVSS
CVE-2019-15640HIGH

Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.

26 Aug 2019
7.5
CVSS
CVE-2019-9960CRITICAL

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

24 Mar 2019
9.8
CVSS
CVE-2017-18358MEDIUM

LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel.

15 Jan 2019
6.1
CVSS
CVE-2018-20322MEDIUM

LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascript code execution against LimeSurvey administrators. Fixed in version 3.15.6.

22 Dec 2018
6.1
CVSS
CVE-2018-17003MEDIUM

In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.

21 Sep 2018
6.1
CVSS
CVE-2018-17057CRITICALpoc

An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

14 Sep 2018
9.8
CVSS
CVE-2018-1000659HIGH

LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a specially crafted zip file to get remote code execution. This vulnerability appears to have been fixed in after commit 72a02ebaaf95a80e26127ee7ee2b123cccce05a7 / version 3.14.4.

6 Sep 2018
8.8
CVSS
CVE-2018-1000658HIGH

LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can be called under certain circumstances. This vulnerability appears to have been fixed in after commit 91d143230eb357260a19c8424b3005deb49a47f7 / version 3.14.4.

6 Sep 2018
8.8
CVSS
CVE-2018-16397MEDIUM

In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

3 Sep 2018
4.9
CVSS
CVE-2018-1000514MEDIUM

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.

26 Jun 2018
4.3
CVSS
CVE-2018-1000513MEDIUM

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.

26 Jun 2018
4.8
CVSS
CVE-2018-7556CRITICAL

LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.

28 Feb 2018
9.1
CVSS
CVE-2018-1000053HIGH

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint.

10 Feb 2018
8.8
CVSS
CVE-2015-5078MEDIUM

SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter.

28 Jun 2015
6.5
CVSS
CVE-2015-4628MEDIUM

SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.

18 Jun 2015
6.5
CVSS
CVE-2014-5018MEDIUM

Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

21 Jul 2014
4.3
CVSS
CVE-2014-5017HIGH

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.

21 Jul 2014
7.5
CVSS
CVE-2014-5016MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality.

21 Jul 2014
4.3
CVSS
CVE-2011-5256LOW

Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters.

12 Feb 2013
2.6
CVSS
CVE-2012-4995MEDIUM

Cross-site scripting (XSS) vulnerability in admin/userrighthandling.php in LimeSurvey before 1.91+ Build 120224 allows remote attackers to inject arbitrary web script or HTML via the full_name parameter in a moduser action to admin/admin.php. NOTE: some of these details are obtained from third party information.

19 Sep 2012
4.3
CVSS
CVE-2012-4994MEDIUM

SQL injection vulnerability in admin/admin.php in LimeSurvey before 1.91+ Build 120224 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a browse action. NOTE: some of these details are obtained from third party information.

19 Sep 2012
6.5
CVSS
CVE-2012-4927HIGHpoc

SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.

15 Sep 2012
7.5
CVSS
CVE-2011-3752MEDIUM

LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/statistics.php and certain other files.

24 Sep 2011
5.0
CVSS
CVE-2009-1604HIGH

Unspecified vulnerability in LimeSurvey before 1.82 allows remote attackers to execute commands and obtain sensitive data via unknown attack vectors related to /admin/remotecontrol/.

11 May 2009
7.5
CVSS
CVE-2008-2570CRITICAL

Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors.

6 Jun 2008
9.3
CVSS
CVE-2008-2571MEDIUM

Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action.

6 Jun 2008
4.3
CVSS
CVE-2007-5573MEDIUMpoc

PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.

18 Oct 2007
6.8
CVSS
CVE-2007-3632MEDIUMpoc

Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php in admin/classes/pear/; or (5) Worksheet.php, (6) Parser.php, (7) Workbook.php, (8) Format.php, or (9) BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/.

10 Jul 2007
6.8
CVSS
← PrevPage 2 / 2Next →