CVSS Base Vector:
LimeSurvey is prone to multiple vulnerabilities.
The following vulnerabilities exist:
- Stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The
- Reflected XSS for escalating privileges. This occurs in application/core/Survey_Common_Action.php. (CVE-2019-16173)
- Stored XSS that allows authenticated users with correct permissions to inject arbitrary web script
or HTML via titles of admin box buttons on the home page. (CVE-2019-16178)
- Reflected XSS that allows remote attackers to inject arbitrary web script or HTML via extensions
of uploaded files. (CVE-2019-16182)
- Admin users can mark other users' notifications as read. (CVE-2019-16181)
- Admin users can run an integrity check without proper permissions. (CVE-2019-16183)
- Admin users can view, update, or delete reserved menu entries without proper permissions. (CVE-2019-16185)
- Admin users can access the plugin manager without proper permissions. (CVE-2019-16186)
- An XML injection vulnerability that allows remote attackers to import specially crafted
XML files and execute code or compromise data integrity. (CVE-2019-16174)
- A path disclosure vulnerability that allows a remote attacker to discover the path to
the application in the filesystem. (CVE-2019-16176)
- A clickjacking vulnerability related to X-Frame-Options SAMEORIGIN not being set by default. (CVE-2019-16175)
- The database backup uses browser cache, which exposes it entirely. (CVE-2019-16177)
- The default configuration does not enforce SSL/TLS usage. (CVE-2019-16179)
- A vulnerability that allows remote attackers to bruteforce the login form and enumerate
usernames when the LDAP authentication method is used. (CVE-2019-16180)
- A CSV injection vulnerability that allows survey participants to inject commands via their
survey responses that will be included in the export CSV file. (CVE-2019-16184)
- A vulnerability related to the use of an anti-CSRF cookie without the HttpOnly flag, which
allows attackers to access a cookie value via a client-side script. (CVE-2019-16187)
Checks if a vulnerable version is present on the target host.
LimeSurvey before version 3.17.14.
Update to version 3.17.14 or later.
Web application abuses
Find and Fix this Vulnerability:
Mageni can help you to find out if you have this or more vulnerabilities exposing you to hackers, ransomware and malware: Download Mageni's Free Edition
NVD CVE ID: