- EPSS 0.83%
- Veröffentlicht 09.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:13
In Limesurvey before 3.17.14, admin users can mark other users' notifications as read.
CVE-2019-16182
- EPSS 1.1%
- Veröffentlicht 09.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:13
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files.
- EPSS 0.79%
- Veröffentlicht 09.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:13
In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.
CVE-2019-16184
- EPSS 1.71%
- Veröffentlicht 09.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:13
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.
CVE-2019-16185
- EPSS 1.3%
- Veröffentlicht 09.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:13
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions.
CVE-2019-16173
- EPSS 3.67%
- Veröffentlicht 09.09.2019 19:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:12
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
CVE-2019-16172
- EPSS 4.61%
- Veröffentlicht 09.09.2019 19:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:11
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.
CVE-2019-15640
- EPSS 1.21%
- Veröffentlicht 26.08.2019 17:15:12
- Zuletzt bearbeitet 21.11.2024 04:29:10
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.
CVE-2019-9960
- EPSS 13.37%
- Veröffentlicht 24.03.2019 01:29:00
- Zuletzt bearbeitet 21.11.2024 04:52:40
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
CVE-2017-18358
- EPSS 0.95%
- Veröffentlicht 15.01.2019 16:29:00
- Zuletzt bearbeitet 21.11.2024 03:19:55
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel.