LimeSurvey cpdb SQL Injection Vulnerability
Release date:
Updated on:
Affected Systems:
LimeSurvey
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2014-5017
LimeSurvey is an open-source online questionnaire survey program. It is written in PHP and can use MySQL, PostgreSQL, MSSQL, and other databases, it integrates functions such as survey program development, questionnaire publishing, and data collection.
In LimeSurvey 2.05 + Build 140618, application/controllers/admin/Participant ipantsaction. php CPDB has the SQL injection vulnerability. Remote attackers can exploit this vulnerability to execute arbitrary SQL commands by using the sidx parameter in a JSON request of admin/Participant/sa/getparticipant ipants_json.
<* Source: vendor
Giuseppe D 'Amore
Link: http://packetstormsecurity.com/files/127369/Lime-Survey-2.05-Build-140618-XSS-SQL-Injection.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
LimeSurvey
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Https://github.com/LimeSurvey/LimeSurvey/commit/9938bcd1df8ea27052557c722a67b00c0e7d6cb6
This article permanently updates the link address: