Path Traversal Vulnerability in LimeSurvey by LimeSurvey GmbH
CVE-2019-9960

9.8CRITICAL

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 24 March 2019

What is CVE-2019-9960?

The downloadZip function in LimeSurvey allows attackers to utilize a relative path, potentially leading to unauthorized access to sensitive files on the server. This flaw can be exploited by an attacker to manipulate the file path, resulting in the exposure of confidential data or files that should remain protected. Users of affected versions of LimeSurvey should be aware of this vulnerability and implement necessary security measures to safeguard their applications.

References

https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c4...

x_refsource_MISC

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 24, 2019
Vulnerability Reserved
Mar 23, 2019

Limesurvey

What is CVE-2019-9960?

References

EPSS Score

CVSS V3.1

Timeline