Paoloelia

**Name of the Vulnerable Software and Affected Versions** Lime Survey version 6.5.12 **Description** A CSV injection issue allows attackers to execute arbitrary code by uploading a specially crafted CSV file. **Recommendations** For Lime Survey version 6.5.12, update to a version that fixes this issue to prevent arbitrary code execution via crafted CSV files.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions 6.6.1+240806 and earlier **Description** A Host header injection issue in the password reset function allows attackers to send users a crafted password reset link that directs victims to a malicious domain. This occurs because the password reset function does not properly validate the Host header, enabling malicious redirects. **Recommendations** For LimeSurvey versions 6.6.1+240806 and earlier, as a temporary workaround, consider disabling the password reset function until a patch is available. Restrict access to the password reset feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.