First published: Mon Sep 09 2019(Updated: )
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Limesurvey Limesurvey | <3.17.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-16172.
The severity rating of CVE-2019-16172 is medium, with a severity value of 5.4.
CVE-2019-16172 allows privilege escalation by exploiting a stored cross-site scripting (XSS) vulnerability in LimeSurvey before version 3.17.14.
LimeSurvey versions up to and excluding 3.17.4 are affected by CVE-2019-16172.
To remediate the CVE-2019-16172 vulnerability, it is recommended to update LimeSurvey to version 3.17.14 or later.