cbcvebase.
CVE-2019-9960
published 2019-03-24

CVE-2019-9960: The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.37%
95.9th percentile
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

Affected

1 ranges
VendorProductVersion rangeFixed in
limesurveylimesurvey<= 3.16.1\+190225

Detection & IOCsextracted from sources · hover to see the quote

pathapplication/controllers/admin/export.php
  • Monitor HTTP requests targeting the downloadZip/szip functionality in LimeSurvey's export controller for path traversal sequences (e.g., '../') in parameters, indicating exploitation of CVE-2019-9960.
  • Alert on authenticated POST/GET requests to application/controllers/admin/export.php containing relative path components, as this is the vulnerable endpoint for CVE-2019-9960.
  • The Metasploit auxiliary module limesurvey_zip_traversals.rb can be used to verify exposure; detect its use by correlating scanner activity against LimeSurvey admin endpoints.
  • ·Exploitation requires authentication; unauthenticated access to the vulnerable endpoint is not sufficient to trigger CVE-2019-9960.
  • ·CVE-2019-9960 affects LimeSurvey versions up to and including 3.15.9 (and up to 3.16.1+190225 per NVD); distinguish from CVE-2020-11455 which affects 4.0–4.1.11 and uses a different vulnerable function (getZipFile in filemanager).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.