cbcvebase.
CVE-2020-11455
published 2020-04-01

CVE-2020-11455: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.99%
99.9th percentile
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
limesurveylimesurvey<= 4.1.11
limesurveylimesurvey

Detection & IOCsextracted from sources · hover to see the quote

url/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd
pathapplication/controllers/admin/LimeSurveyFileManager.php
  • Monitor HTTP GET requests to the LimeSurvey filemanager endpoint '/index.php/admin/filemanager/sa/getZipFile' with a 'path' parameter containing directory traversal sequences (e.g., '/../../../').
  • The vulnerable parameter is 'path' in the getZipFile endpoint; alert on values containing '../' sequences traversing outside the web root.
  • Post-exploitation: the file retrieved via path traversal may be deleted after viewing — monitor for unexpected deletion of LimeSurvey configuration files as a secondary indicator of exploitation.
  • Exploitation does not require authentication (CVSS PR:N), so any source IP hitting the filemanager traversal path should be treated as suspicious regardless of session state.
  • ·Denial-of-service risk: if the web service account has write/delete permissions, the attacker can delete critical LimeSurvey configuration files after downloading them via the traversal.
  • ·Affected version range for CVE-2020-11455 is LimeSurvey 4.0 through 4.1.11 inclusive; a related but distinct traversal (CVE-2019-9960) affects versions <= 3.15.9 via a different endpoint (downloadZip/szip).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.