Multiple vulnerabilities in Limesurvey_CVE-2025-41076

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

Basic Information

ID CVE-2025-41076

Source INCIBE

Published Nov 20, 2025 at 12:52

Modified Nov 20, 2025 at 20:30

Affected Product

Vendor LimeSurvey

Product LimeSurvey

Version 6.13.0

Affected Versions LimeSurvey LimeSurvey 6.13.0

CWE Classification

CWE-209

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0

{
    "lastseen": "",
    "description": "In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.",
    "published": "2025-11-20T12:52:25.797Z",
    "modified": "2025-11-20T20:30:01.872Z",
    "type": "cve",
    "title": "Multiple vulnerabilities in Limesurvey",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0",
    "id": "CVE-2025-41076",
    "bulletinFamily": "",
    "cwe": [
        "CWE-209"
    ],
    "cvelist": null,
    "sourceData": "LimeSurvey LimeSurvey 6.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LimeSurvey",
    "version": "6.13.0",
    "vendor": "LimeSurvey",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}