HackDig : Dig high-quality web security articles for hacker

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

2014-08-13 01:56

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the ‘label_name’ POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Input passed to the ‘group_name’ POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

limesurvey-sql

Advisory [ZSL-2013-5161]:
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Vendor patch:
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
http://www.limesurvey.org/en/stable-release


Source: -noitcejni-lqs-dna-noitresni-tpircs-701131-dliub-00-2v-yevrusemil/3102/11/golb/km.ecneicsorez

Read:4321 | Comments:0 | Tags:Internal admin advisory arbitrary auth code fix html inserti

“LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud

Keywords