CVE-2025-41076

EPSS 0.04%

Multiple vulnerabilities in Limesurvey

發布日:2025/11/22修改日:2025/11/22

描述

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

受影響套件(1)

Bitnami/limesurvey>= 6.13.0, < 6.15.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

參考連結(2)

WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-41076
WEBhttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0