First published: Mon Sep 09 2019(Updated: )
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Limesurvey Limesurvey | <3.17.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16173 is a vulnerability in LimeSurvey before v3.17.14 that allows for reflected XSS attacks, enabling privilege escalation from a low-privileged account to a SuperAdmin account.
The severity of CVE-2019-16173 is rated as medium with a CVSS score of 5.4.
The affected software version for CVE-2019-16173 is LimeSurvey up to version 3.17.4.
An attacker can exploit CVE-2019-16173 by tricking a user into clicking on a specially crafted link or visiting a website that contains malicious code, which then executes in the user's browser and allows the attacker to perform actions on behalf of the user.
Yes, the fix for CVE-2019-16173 is to upgrade LimeSurvey to version 3.17.14 or later.