Filtered by vendor Limesurvey
Subscribe
Total
68 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42901 | 1 Limesurvey | 1 Limesurvey | 2025-07-03 | N/A | N/A |
| A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file. | |||||
| CVE-2024-42902 | 1 Limesurvey | 1 Limesurvey | 2025-07-03 | N/A | N/A |
| An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function | |||||
| CVE-2022-48008 | 1 Limesurvey | 1 Limesurvey | 2025-03-28 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2024-28709 | 1 Limesurvey | 1 Limesurvey | 2025-03-25 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields. | |||||
| CVE-2024-28710 | 1 Limesurvey | 1 Limesurvey | 2025-03-25 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component. | |||||
| CVE-2024-42903 | 1 Limesurvey | 1 Limesurvey | 2025-03-13 | N/A | 6.5 MEDIUM |
| A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain. | |||||
| CVE-2021-44967 | 1 Limesurvey | 1 Limesurvey | 2025-02-20 | 9.0 HIGH | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding. | |||||
| CVE-2022-48010 | 1 Limesurvey | 1 Limesurvey | 2024-08-03 | N/A | 5.4 MEDIUM |
| LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Welcome-message text fields. NOTE: the vendor indicates that this is not a vulnerability because the manipulation requires Superadministrator privileges, and Superadministrators are already allowed to customize surveys with JavaScript as they wish. | |||||
| CVE-2022-43279 | 1 Limesurvey | 1 Limesurvey | 2024-07-03 | N/A | 7.2 HIGH |
| LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. | |||||
| CVE-2023-44796 | 1 Limesurvey | 1 Limesurvey | 2024-01-10 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. | |||||
| CVE-2009-1604 | 1 Limesurvey | 1 Limesurvey | 2023-11-07 | 7.5 HIGH | N/A |
| Unspecified vulnerability in LimeSurvey before 1.82 allows remote attackers to execute commands and obtain sensitive data via unknown attack vectors related to /admin/remotecontrol/. | |||||
| CVE-2008-2570 | 1 Limesurvey | 1 Limesurvey | 2023-11-07 | 9.3 HIGH | N/A |
| Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors. | |||||
| CVE-2008-2571 | 1 Limesurvey | 1 Limesurvey | 2023-11-07 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action. | |||||
| CVE-2019-16172 | 1 Limesurvey | 1 Limesurvey | 2023-02-13 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. | |||||
| CVE-2019-16173 | 1 Limesurvey | 1 Limesurvey | 2023-02-13 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php, | |||||
| CVE-2020-11455 | 1 Limesurvey | 1 Limesurvey | 2022-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | |||||
| CVE-2020-11456 | 1 Limesurvey | 1 Limesurvey | 2022-07-30 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | |||||
| CVE-2022-29710 | 1 Limesurvey | 1 Limesurvey | 2022-06-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin. | |||||
| CVE-2018-10228 | 1 Limesurvey | 1 Limesurvey | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. | |||||
| CVE-2021-42112 | 1 Limesurvey | 1 Limesurvey | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js. | |||||