Limesurvey

Limesurvey

80 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.36%
  • Veröffentlicht 09.06.2026 18:17:10
  • Zuletzt bearbeitet 09.06.2026 19:36:10

The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or in...

  • EPSS 0.37%
  • Veröffentlicht 09.06.2026 18:17:10
  • Zuletzt bearbeitet 09.06.2026 19:36:10

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpReq...

Exploit
  • EPSS 0.28%
  • Veröffentlicht 09.04.2026 18:16:42
  • Zuletzt bearbeitet 16.04.2026 19:01:01

Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

Exploit
  • EPSS 0.23%
  • Veröffentlicht 09.04.2026 18:16:42
  • Zuletzt bearbeitet 16.04.2026 19:02:22

A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a maliciou...

  • EPSS 0.85%
  • Veröffentlicht 10.03.2026 00:00:00
  • Zuletzt bearbeitet 05.07.2026 02:17:00

A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.

  • EPSS 0.47%
  • Veröffentlicht 10.03.2026 00:00:00
  • Zuletzt bearbeitet 05.07.2026 02:17:00

SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.

Exploit
  • EPSS 0.25%
  • Veröffentlicht 28.01.2026 12:29:03
  • Zuletzt bearbeitet 02.02.2026 16:16:14

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to exec...

  • EPSS 0.24%
  • Veröffentlicht 20.11.2025 12:52:25
  • Zuletzt bearbeitet 21.11.2025 19:54:57

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of ...

  • EPSS 0.28%
  • Veröffentlicht 20.11.2025 12:49:29
  • Zuletzt bearbeitet 21.11.2025 19:59:05

Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The syst...

  • EPSS 0.28%
  • Veröffentlicht 20.11.2025 12:47:05
  • Zuletzt bearbeitet 21.11.2025 20:00:55

Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The sy...