Skip to main content

Limesurvey CVE-2024-39063

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-07-09 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 09, 2024 - 20:15 cve.org
HIGH 8.8

DescriptionCVE.org

Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.

AnalysisAI

Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests. Affected products include: Limesurvey.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2020-11455 CRITICAL POC
9.8 Apr 01

LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileM

CVE-2019-9960 CRITICAL POC
9.8 Mar 24

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relati

CVE-2018-17057 CRITICAL POC
9.8 Sep 14

An issue was discovered in TCPDF before 6.2.22. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-42902 HIGH POC
8.8 Sep 03

An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via

CVE-2012-4927 HIGH POC
7.5 Sep 15

SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attack

CVE-2014-5017 HIGH POC
7.5 Jul 21

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 14

CVE-2022-43279 HIGH POC
7.2 Nov 15

LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/th

CVE-2024-24506 MEDIUM POC
6.1 Apr 03

Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attacke

CVE-2021-42112 MEDIUM POC
6.1 Oct 08

The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.

CVE-2019-17660 MEDIUM POC
6.1 Oct 16

A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier

CVE-2025-56422 CRITICAL
9.8 Mar 10

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

CVE-2019-16184 CRITICAL
9.8 Sep 09

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands

Share

CVE-2024-39063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy