PT-2014-6250 · Limesurvey · Limesurvey

Published

2014-07-21

Updated

2014-07-22

CVE-2014-5018

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions LimeSurvey versions 2.05 and later

Description The issue is related to an incomplete blacklist vulnerability in the autoEscape function. This allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to "index.php", specifically when resuming a survey.

Recommendations For LimeSurvey versions 2.05 and later, consider restricting access to the loadname parameter in the "index.php" endpoint until a patch is available. As a temporary workaround, avoid using the GBK charset in the loadname parameter to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-5018

Affected Products

Limesurvey

PT-2014-6250 · Limesurvey · Limesurvey

CVE-2014-5018

Related Identifiers

Affected Products

References · 3