Home

Description

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

PUBLISHED Reserved 2025-04-16 | Published 2025-11-20 | Updated 2025-11-20 | Assigner INCIBE




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-209 Generation of Error Message Containing Sensitive Information

Product status

Default status
unaffected

6.13.0
affected

Credits

Julen Garrido Estevez finder

References

www.incibe.es/...aviso/multiple-vulnerabilities-limesurvey-0

cve.org (CVE-2025-41076)

nvd.nist.gov (CVE-2025-41076)

Download JSON