CVE-2024-6933
Description
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cna@vuldb.com — https://github.com/LimeSurvey/LimeSurvey/commit/d656d2c7980b7642560977f4780e64533a68e13d
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| limesurvey | limesurvey | {"startIncluding":"6.5.14","endExcluding":"6.6.2"} | 6.6.2 |
References
- https://community.limesurvey.org/downloads/
- https://github.com/Hebing123/cve/issues/55
- https://github.com/LimeSurvey/LimeSurvey/commit/d656d2c7980b7642560977f4780e64533a68e13d
- https://vuldb.com/?ctiid.271988
- https://vuldb.com/?id.271988
- https://vuldb.com/?submit.372007
- https://github.com/Hebing123/cve/issues/55
- https://vuldb.com/?ctiid.271988
- https://vuldb.com/?id.271988
- https://vuldb.com/?submit.372007
CWEs
CWE-74 CWE-89
Verify integrity in audit chain (admin only). AS-IS.