CVE-2019-25019

LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
limesurveylimesurvey
𝑥
< 3.19.0
limesurveylimesurvey
4.0.0:alpha
limesurveylimesurvey
4.0.0:beta
limesurveylimesurvey
4.0.0:rc1
limesurveylimesurvey
4.0.0:rc2
limesurveylimesurvey
4.0.0:rc3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://community.limesurvey.org/release/191008/
https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txt
https://community.limesurvey.org/release/191008/
https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txt