Published: 24/03/2019 Updated: 24/08/2020

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 790

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The downloadZip function in application/controllers/admin/export.php in LimeSurvey up to and including 3.16.1+190225 allows a relative path.

Vulnerable Product	Search on Vulmon	Subscribe to Product
limesurvey limesurvey

This module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 40 and 4111 with CVE-2020-11455 or <= 3159 with CVE-2019-9960, inclusive In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download The file ...

This module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960, inclusive. In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download. The file retrieved may be deleted after viewing, which was confirmed in testing. In CVE-2019-9960 the szip function within the downloadZip functionality allows for arbitrary file download. Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328, 3.0.0-171222, and 2.70.0-170921.

msf > use auxiliary/scanner/http/limesurvey_zip_traversals
msf auxiliary(limesurvey_zip_traversals) > show actions
    ...actions...
msf auxiliary(limesurvey_zip_traversals) > set ACTION < action-name >
msf auxiliary(limesurvey_zip_traversals) > show options
    ...show and set options...
msf auxiliary(limesurvey_zip_traversals) > run

CWE-22 https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8 https://nvd.nist.gov https://www.rapid7.com/db/modules/auxiliary/scanner/http/limesurvey_zip_traversals/

CVE-2019-9960

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect