Limesurvey

Limesurvey

74 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2020-36993

Exploit
  • EPSS 0.05%
  • Veröffentlicht 28.01.2026 12:29:03
  • Zuletzt bearbeitet 02.02.2026 16:16:14

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to exec...

6.5

CVE-2025-41076

  • EPSS 0.05%
  • Veröffentlicht 20.11.2025 12:52:25
  • Zuletzt bearbeitet 21.11.2025 19:54:57

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of ...

7.5

CVE-2025-41075

  • EPSS 0.06%
  • Veröffentlicht 20.11.2025 12:49:29
  • Zuletzt bearbeitet 21.11.2025 19:59:05

Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The syst...

7.5

CVE-2025-41074

  • EPSS 0.06%
  • Veröffentlicht 20.11.2025 12:47:05
  • Zuletzt bearbeitet 21.11.2025 20:00:55

Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The sy...

5.3

CVE-2025-41376

  • EPSS 0.05%
  • Veröffentlicht 01.08.2025 12:29:59
  • Zuletzt bearbeitet 30.01.2026 21:44:53

CRLF Injection vulnerability in Limesurvey v2.65.1+170522.  This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid/<SID>/token/fwyfw%0d%0aCookie:%...

9.8

CVE-2025-41375

  • EPSS 0.04%
  • Veröffentlicht 01.08.2025 12:29:48
  • Zuletzt bearbeitet 30.01.2026 21:45:13

SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.

8.7

CVE-2025-34120

  • EPSS 50.18%
  • Veröffentlicht 16.07.2025 21:15:26
  • Zuletzt bearbeitet 17.07.2025 21:15:50

An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allow...

6.1

CVE-2024-28709

  • EPSS 0.85%
  • Veröffentlicht 07.10.2024 16:15:05
  • Zuletzt bearbeitet 25.03.2025 17:15:53

Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.

6.1

CVE-2024-28710

  • EPSS 0.47%
  • Veröffentlicht 07.10.2024 16:15:05
  • Zuletzt bearbeitet 25.03.2025 17:15:53

Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

6.5

CVE-2024-42903

  • EPSS 0.31%
  • Veröffentlicht 03.09.2024 18:15:08
  • Zuletzt bearbeitet 13.03.2025 21:15:41

A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.