CVE-2019-16184

CRITICAL

Limesurvey <3.17.14 - Command Injection

Title source: llm

Description

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.

References (2)

[Release Notes, Vendor Advisory] https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released

[Patch, Release Notes, Third Party Advisory] https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R46

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0058

EPSS Percentile 68.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

limesurvey/limesurvey < 3.17.14

Published Sep 09, 2019

Tracked Since Feb 18, 2026