Cross-Site Request Forgery Vulnerability in LimeSurvey by LimeSurvey GmbH
CVE-2019-16187

7.5HIGH

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 9 September 2019

What is CVE-2019-16187?

LimeSurvey versions before 3.17.14 are susceptible to a vulnerability due to the lack of the HttpOnly flag on an anti-CSRF cookie. This oversight allows attackers to exploit client-side scripts to access sensitive cookie information, potentially leading to unauthorized actions on behalf of users. It is crucial for users and administrators of the affected versions to update to the latest release to mitigate this risk.

References

https://www.limesurvey.org/limesurvey-updates/2188-limesu...

x_refsource_MISC

https://github.com/LimeSurvey/LimeSurvey/commit/5870fd103...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2019
Vulnerability Reserved
Sep 9, 2019

Limesurvey

What is CVE-2019-16187?

References

CVSS V3.1

Timeline