CVE-2021-44967

HIGH8.8EPSS 77.4%

Published: 3/6/2024Modified: 4/3/2025

Description

A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding.

Affected packages (1)

Bitnami/limesurvey>= 5.2.4, < 5.2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

WEBhttps://github.com/Y1LD1R1M-1337/Limesurvey-RCE
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-44967
WEBhttps://www.exploit-db.com/exploits/50573
WEBhttps://www.limesurvey.org/manual/Plugins_-_advanced