CVE-2020-11455
published 2020-04-01CVE-2020-11455: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.99%
99.9th percentile
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| limesurvey | limesurvey | <= 4.1.11 | — |
| limesurvey | limesurvey | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to the LimeSurvey filemanager endpoint '/index.php/admin/filemanager/sa/getZipFile' with a 'path' parameter containing directory traversal sequences (e.g., '/../../../'). ↗
- →The vulnerable parameter is 'path' in the getZipFile endpoint; alert on values containing '../' sequences traversing outside the web root. ↗
- →Post-exploitation: the file retrieved via path traversal may be deleted after viewing — monitor for unexpected deletion of LimeSurvey configuration files as a secondary indicator of exploitation. ↗
- →Exploitation does not require authentication (CVSS PR:N), so any source IP hitting the filemanager traversal path should be treated as suspicious regardless of session state. ↗
- ·Denial-of-service risk: if the web service account has write/delete permissions, the attacker can delete critical LimeSurvey configuration files after downloading them via the traversal. ↗
- ·Affected version range for CVE-2020-11455 is LimeSurvey 4.0 through 4.1.11 inclusive; a related but distinct traversal (CVE-2019-9960) affects versions <= 3.15.9 via a different endpoint (downloadZip/szip). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x533-9x59-8hwv: LimeSurvey before 4
ghsa_unreviewed·2022-05-24
CVE-2020-11455 [MEDIUM] CWE-22 GHSA-x533-9x59-8hwv: LimeSurvey before 4
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
VulnCheck
limesurvey limesurvey Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 9.8
CVE-2020-11455 [CRITICAL] limesurvey limesurvey Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
limesurvey limesurvey Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
Affected: limesurvey limesurvey
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-25&host_type=src&vulnerability=cve-2020-11455; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2020-11455; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-1
No detection rules found.
Exploit-DB
LimeSurvey 4.1.11 - 'File Manager' Path Traversal
exploitdb·2020-04-06·CVSS 9.8
CVE-2020-11455 [CRITICAL] LimeSurvey 4.1.11 - 'File Manager' Path Traversal
LimeSurvey 4.1.11 - 'File Manager' Path Traversal
---
# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11455
# Vulnerability Details
# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
# that allows an attacker to download arbitrary files. The file manager functionality will also
# delete the file after it is downloaded (if the web service account has permissions to do so),
# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
Vulnerable Parameter : "path"
# POC
http
Nuclei
LimeSurvey 4.1.11 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2020-11455 [CRITICAL] LimeSurvey 4.1.11 - Local File Inclusion
LimeSurvey 4.1.11 - Local File Inclusion
LimeSurvey before 4.1.12+200324 is vulnerable to local file inclusion because it contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
Template:
id: CVE-2020-11455
info:
name: LimeSurvey 4.1.11 - Local File Inclusion
author: daffainfo
severity: critical
description: LimeSurvey before 4.1.12+200324 is vulnerable to local file inclusion because it contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.
remediation: |
Upgrade to the latest version of LimeSurvey (4.1.12 or higher) which includ
Metasploit
LimeSurvey Zip Path Traversals
metasploit·CVSS 9.8
CVE-2020-11455 [CRITICAL] LimeSurvey Zip Path Traversals
LimeSurvey Zip Path Traversals
This module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960, inclusive. In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download. The file retrieved may be deleted after viewing, which was confirmed in testing. In CVE-2019-9960 the szip function within the downloadZip functionality allows for arbitrary file download. Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328, 3.0.0-171222, and 2.70.0-170921.
http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.htmlhttps://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1bhttps://www.exploit-db.com/exploits/48297http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.htmlhttps://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1bhttps://www.exploit-db.com/exploits/48297
2020-04-01
Published
Exploited in the wild