Unpatched LimeSurvey vulnerabilities

Follow

Summary

LimeSurvey is generally considered to be a secure product, but like all software it is possible for security vulnerabilities to be discovered.

  • In 2014 & 2015, a number of vulnerabilities were discovered in LimeSurvey 2.05 and 2.06 that were addressed by vendor patches.
  • In early in 2018, a number of vulnerabilities were discovered that had been present since 3.0.0 beta. These are reported to have all been fixed prior in 3.06 or earlier.
  • Recently (August 2018) a vulnerability was discovered for LimeSurvey 3.14.3 and earlier that would allow a malicious user with a LimeSurvey account to take over the website.  This is addressed in version 3.14.5+.

Impact

The impact will depend on the specific vulnerability.  However, the scope may include destruction / vandalism of your site, theft of information, or taking the site over to serve illegal or malicious content.

Solution

We recommend that you upgrade LimeSurvey to the latest stable version.  The generic instructions are here:

Have more questions? Submit a request

Comments

Powered by Zendesk