Vendor CVEs
Limesurvey
All CVEs
80 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34120 | Hig | 0.65 | — | 0.01 | Jul 16, 2025 | An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify… | ||
| CVE-2018-7556 | Cri | 0.59 | 9.1 | 0.02 | Feb 28, 2018 | LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file. | ||
| CVE-2026-50636 | Hig | 0.50 | 8.8 | 0.00 | Jun 9, 2026 | The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,… | ||
| CVE-2026-50635 | Hig | 0.50 | 8.8 | 0.00 | Jun 9, 2026 | LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()… | ||
| CVE-2018-17003 | Med | 0.40 | 6.1 | 0.01 | Sep 21, 2018 | In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. | ||
| CVE-2024-6933 | Med | 0.34 | 6.3 | 0.01 | Jul 21, 2024 | A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.… | ||
| CVE-2025-70797 | Med | 0.33 | 6.1 | 0.00 | Apr 9, 2026 | Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | ||
| CVE-2025-63238 | Med | 0.33 | 6.1 | 0.00 | Apr 9, 2026 | A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the… | ||
| CVE-2018-16397 | Med | 0.32 | 4.9 | 0.01 | Sep 3, 2018 | In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file, | ||
| CVE-2018-1000513 | Med | 0.31 | 4.8 | 0.01 | Jun 26, 2018 | LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x. | ||
| CVE-2018-1000514 | Med | 0.28 | 4.3 | 0.00 | Jun 26, 2018 | LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. | ||
| CVE-2020-11455 | 0.11 | — | 0.97 | Apr 1, 2020 | LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | |||
| CVE-2020-11456 | 0.09 | — | 0.71 | Apr 1, 2020 | LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | |||
| CVE-2007-3632 | 0.08 | — | 0.62 | Jul 10, 2007 | Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php… | |||
| CVE-2021-44967 | 0.06 | — | 0.13 | Feb 22, 2022 | A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP… | |||
| CVE-2019-9960 | 0.04 | — | 0.13 | Mar 24, 2019 | The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path. | |||
| CVE-2012-4927 | 0.03 | — | 0.02 | Sep 15, 2012 | SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php. | |||
| CVE-2007-5573 | 0.03 | — | 0.03 | Oct 18, 2007 | PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter. | |||
| CVE-2025-56422 | 0.00 | — | 0.01 | Mar 10, 2026 | A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server. | |||
| CVE-2025-56421 | 0.00 | — | 0.00 | Mar 10, 2026 | SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database. | |||
| CVE-2020-36993 | 0.00 | — | 0.00 | Jan 28, 2026 | LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in… | |||
| CVE-2025-41076 | 0.00 | — | 0.00 | Nov 20, 2025 | In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the… | |||
| CVE-2025-41075 | 0.00 | — | 0.00 | Nov 20, 2025 | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the… | |||
| CVE-2025-41074 | 0.00 | — | 0.00 | Nov 20, 2025 | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the… | |||
| CVE-2025-41376 | 0.00 | — | 0.00 | Aug 1, 2025 | CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'. | |||
| CVE-2025-41375 | 0.00 | — | 0.01 | Aug 1, 2025 | SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | |||
| CVE-2024-28709 | 0.00 | — | 0.01 | Oct 7, 2024 | Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields. | |||
| CVE-2024-28710 | 0.00 | — | 0.01 | Oct 7, 2024 | Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component. | |||
| CVE-2024-42902 | 0.00 | — | 0.01 | Sep 3, 2024 | An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function | |||
| CVE-2024-42901 | 0.00 | — | 0.00 | Sep 3, 2024 | A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file. | |||
| CVE-2024-42903 | 0.00 | — | 0.00 | Sep 3, 2024 | A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain. | |||
| CVE-2024-7887 | 0.00 | — | 0.01 | Aug 17, 2024 | A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be… | |||
| CVE-2024-39063 | 0.00 | — | 0.00 | Jul 9, 2024 | Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests. | |||
| CVE-2023-44796 | 0.00 | — | 0.01 | Nov 17, 2023 | Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. | |||
| CVE-2022-48010 | 0.00 | — | 0.00 | Jan 27, 2023 | LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted… | |||
| CVE-2022-48008 | 0.00 | — | 0.01 | Jan 27, 2023 | An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. | |||
| CVE-2022-43279 | 0.00 | — | 0.01 | Nov 15, 2022 | LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. | |||
| CVE-2022-29710 | 0.00 | — | 0.01 | May 24, 2022 | A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin. | |||
| CVE-2018-10228 | 0.00 | — | 0.01 | Dec 14, 2021 | Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. | |||
| CVE-2020-22607 | 0.00 | — | 0.01 | Jun 28, 2021 | Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php. | |||
| CVE-2020-23710 | 0.00 | — | 0.01 | Jun 28, 2021 | Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature. | |||
| CVE-2019-25019 | 0.00 | — | 0.01 | Feb 14, 2021 | LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model. | |||
| CVE-2020-25799 | 0.00 | — | 0.01 | Dec 31, 2020 | LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||
| CVE-2020-25797 | 0.00 | — | 0.01 | Dec 31, 2020 | LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||
| CVE-2020-25798 | 0.00 | — | 0.01 | Nov 17, 2020 | A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant… | |||
| CVE-2020-16192 | 0.00 | — | 0.01 | Aug 5, 2020 | LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters. | |||
| CVE-2019-14512 | 0.00 | — | 0.01 | Mar 16, 2020 | LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. | |||
| CVE-2019-17660 | 0.00 | — | 0.01 | Oct 16, 2019 | A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/3368… | |||
| CVE-2019-16174 | 0.00 | — | 0.02 | Sep 9, 2019 | An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | |||
| CVE-2019-16175 | 0.00 | — | 0.01 | Sep 9, 2019 | A clickjacking vulnerability was found in Limesurvey before 3.17.14. |
- risk 0.65cvss —epss 0.01
An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify…
- risk 0.59cvss 9.1epss 0.02
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
- risk 0.50cvss 8.8epss 0.00
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,…
- risk 0.50cvss 8.8epss 0.00
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()…
- risk 0.40cvss 6.1epss 0.01
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.
- risk 0.34cvss 6.3epss 0.01
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.…
- risk 0.33cvss 6.1epss 0.00
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
- risk 0.33cvss 6.1epss 0.00
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the…
- risk 0.32cvss 4.9epss 0.01
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,
- risk 0.31cvss 4.8epss 0.01
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.
- risk 0.28cvss 4.3epss 0.00
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.
- CVE-2020-11455Apr 1, 2020risk 0.11cvss —epss 0.97
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
- CVE-2020-11456Apr 1, 2020risk 0.09cvss —epss 0.71
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
- CVE-2007-3632Jul 10, 2007risk 0.08cvss —epss 0.62
Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php…
- CVE-2021-44967Feb 22, 2022risk 0.06cvss —epss 0.13
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP…
- CVE-2019-9960Mar 24, 2019risk 0.04cvss —epss 0.13
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
- CVE-2012-4927Sep 15, 2012risk 0.03cvss —epss 0.02
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.
- CVE-2007-5573Oct 18, 2007risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.
- CVE-2025-56422Mar 10, 2026risk 0.00cvss —epss 0.01
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
- CVE-2025-56421Mar 10, 2026risk 0.00cvss —epss 0.00
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
- CVE-2020-36993Jan 28, 2026risk 0.00cvss —epss 0.00
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in…
- CVE-2025-41076Nov 20, 2025risk 0.00cvss —epss 0.00
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the…
- CVE-2025-41075Nov 20, 2025risk 0.00cvss —epss 0.00
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…
- CVE-2025-41074Nov 20, 2025risk 0.00cvss —epss 0.00
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…
- CVE-2025-41376Aug 1, 2025risk 0.00cvss —epss 0.00
CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'.
- CVE-2025-41375Aug 1, 2025risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.
- CVE-2024-28709Oct 7, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
- CVE-2024-28710Oct 7, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
- CVE-2024-42902Sep 3, 2024risk 0.00cvss —epss 0.01
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
- CVE-2024-42901Sep 3, 2024risk 0.00cvss —epss 0.00
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
- CVE-2024-42903Sep 3, 2024risk 0.00cvss —epss 0.00
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
- CVE-2024-7887Aug 17, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be…
- CVE-2024-39063Jul 9, 2024risk 0.00cvss —epss 0.00
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
- CVE-2023-44796Nov 17, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.
- CVE-2022-48010Jan 27, 2023risk 0.00cvss —epss 0.00
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…
- CVE-2022-48008Jan 27, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-43279Nov 15, 2022risk 0.00cvss —epss 0.01
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.
- CVE-2022-29710May 24, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.
- CVE-2018-10228Dec 14, 2021risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.
- CVE-2020-22607Jun 28, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php.
- CVE-2020-23710Jun 28, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature.
- CVE-2019-25019Feb 14, 2021risk 0.00cvss —epss 0.01
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
- CVE-2020-25799Dec 31, 2020risk 0.00cvss —epss 0.01
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
- CVE-2020-25797Dec 31, 2020risk 0.00cvss —epss 0.01
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.
- CVE-2020-25798Nov 17, 2020risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant…
- CVE-2020-16192Aug 5, 2020risk 0.00cvss —epss 0.01
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
- CVE-2019-14512Mar 16, 2020risk 0.00cvss —epss 0.01
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php.
- CVE-2019-17660Oct 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/3368…
- CVE-2019-16174Sep 9, 2019risk 0.00cvss —epss 0.02
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.
- CVE-2019-16175Sep 9, 2019risk 0.00cvss —epss 0.01
A clickjacking vulnerability was found in Limesurvey before 3.17.14.
Page 1 of 2