Skip to main content

Limesurvey CVE-2024-24506

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-04-03 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 03, 2024 - 07:15 cve.org
MEDIUM 6.1

DescriptionCVE.org

Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.

AnalysisAI

Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. Affected products include: Limesurvey.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-11455 CRITICAL POC
9.8 Apr 01

LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileM

CVE-2019-9960 CRITICAL POC
9.8 Mar 24

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relati

CVE-2018-17057 CRITICAL POC
9.8 Sep 14

An issue was discovered in TCPDF before 6.2.22. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-42902 HIGH POC
8.8 Sep 03

An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via

CVE-2024-39063 HIGH POC
8.8 Jul 09

Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerabi

CVE-2012-4927 HIGH POC
7.5 Sep 15

SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attack

CVE-2014-5017 HIGH POC
7.5 Jul 21

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 14

CVE-2022-43279 HIGH POC
7.2 Nov 15

LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/th

CVE-2021-42112 MEDIUM POC
6.1 Oct 08

The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.

CVE-2019-17660 MEDIUM POC
6.1 Oct 16

A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier

CVE-2025-56422 CRITICAL
9.8 Mar 10

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

CVE-2019-16184 CRITICAL
9.8 Sep 09

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands

Share

CVE-2024-24506 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy