Remote Code Execution Vulnerability in LimeSurvey by LimeSurvey Development Team
CVE-2021-44967

8.8HIGH

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 24 February 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in LimeSurvey 5.2.4 that permits remote code execution via the plugin upload and installation process. Attackers can exploit this weakness to upload arbitrary PHP code files, potentially compromising the integrity and security of the affected installation. This vulnerability highlights the importance of securing upload functionalities and ensuring that only authenticated users can perform such actions.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-44967
Created by godylockz

LimeSurvey-RCE
Created by D3Ext

References

https://www.exploit-db.com/exploits/50573

https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

https://www.limesurvey.org/manual/Plugins_-_advanced

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 5, 2025
👾
Exploit known to exist
Jan 5, 2025
Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Dec 13, 2021