WS-2023-0406
Published:May 15, 2026
Updated:May 15, 2026
privilege escalation bug to creation survey-group with others group as parent in limesurvey/limesurvey
Affected Packages
limesurvey/limesurvey (PHP):
Affected version(s) =dev-scrutinizer-exclude-paths <dev-sid-spacesFix Suggestion:
Update to version dev-sid-spaceslimesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-tests2 <dev-quota-remote-disable2Fix Suggestion:
Update to version dev-quota-remote-disable2limesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-gitignore <dev-fix-model-relationsFix Suggestion:
Update to version dev-fix-model-relationslimesurvey/limesurvey (PHP):
Affected version(s) =dev-booleans1 <dev-querybuilder1Fix Suggestion:
Update to version dev-querybuilder1limesurvey/limesurvey (PHP):
Affected version(s) =dev-develop-innodb <dev-display-import-errors-masterFix Suggestion:
Update to version dev-display-import-errors-masterlimesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-theme-help <dev-fix-typoFix Suggestion:
Update to version dev-fix-typolimesurvey/limesurvey (PHP):
Affected version(s) >=4.0.1+200120 <4.2.0+200422Fix Suggestion:
Update to version 4.2.0+200422limesurvey/limesurvey (PHP):
Affected version(s) >=dev-install-command-rpc <dev-kill-travisFix Suggestion:
Update to version dev-kill-travislimesurvey/limesurvey (PHP):
Affected version(s) =dev-global-settings <dev-inject-questionattributesFix Suggestion:
Update to version dev-inject-questionattributeslimesurvey/limesurvey (PHP):
Affected version(s) >=dev-master-innodb-fix <dev-refactor-rc-checksessionFix Suggestion:
Update to version dev-refactor-rc-checksessionlimesurvey/limesurvey (PHP):
Affected version(s) =dev-viewanswers <dev-snyk-upgrade-1eb5139e4072b633334be7fdb770a7d3Fix Suggestion:
Update to version dev-snyk-upgrade-1eb5139e4072b633334be7fdb770a7d3limesurvey/limesurvey (PHP):
Affected version(s) =dev-tests-clieck-views1 <dev-dependabot/npm_and_yarn/assets/packages/questions/timer/loader-utils-1.4.2Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/assets/packages/questions/timer/loader-utils-1.4.2limesurvey/limesurvey (PHP):
Affected version(s) =3.0.0+171222 <dev-3.x-LTSFix Suggestion:
Update to version dev-3.x-LTSlimesurvey/limesurvey (PHP):
Affected version(s) =dev-redo-13161 <dev-fix-14253Fix Suggestion:
Update to version dev-fix-14253limesurvey/limesurvey (PHP):
Affected version(s) =dev-survey-activator2 <dev-dependabot/npm_and_yarn/assets/packages/adminbasics/loader-utils-2.0.3Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/assets/packages/adminbasics/loader-utils-2.0.3limesurvey/limesurvey (PHP):
Affected version(s) =3.0.0-RC.1 <3.0.0-RC.2+171102Fix Suggestion:
Update to version 3.0.0-RC.2+171102limesurvey/limesurvey (PHP):
Affected version(s) =dev-fix-spss-token-length <dev-fix-testsFix Suggestion:
Update to version dev-fix-testslimesurvey/limesurvey (PHP):
Affected version(s) >=4.0.0-beta <dev-on-update-values-v4Fix Suggestion:
Update to version dev-on-update-values-v4limesurvey/limesurvey (PHP):
Affected version(s) =dev-tests-lchtest <dev-travis-aptFix Suggestion:
Update to version dev-travis-aptlimesurvey/limesurvey (PHP):
Affected version(s) >=3.0.1+171228 <3.4.4+180305Fix Suggestion:
Update to version 3.4.4+180305limesurvey/limesurvey (PHP):
Affected version(s) =dev-scrutinizer-patch-2 <dev-snyk-fix-a9c10ba47e88a08c83b32a913752ea82Fix Suggestion:
Update to version dev-snyk-fix-a9c10ba47e88a08c83b32a913752ea82limesurvey/limesurvey (PHP):
Affected version(s) =dev-inspect-31 <dev-snyk-upgrade-53b356322f333277c170a2cf3a032ba7Fix Suggestion:
Update to version dev-snyk-upgrade-53b356322f333277c170a2cf3a032ba7limesurvey/limesurvey (PHP):
Affected version(s) =dev-survey-defaultsettings <dev-test-log-checksFix Suggestion:
Update to version dev-test-log-checkslimesurvey/limesurvey (PHP):
Affected version(s) >=dev-answers-view <dev-basicFix Suggestion:
Update to version dev-basiclimesurvey/limesurvey (PHP):
Affected version(s) =dev-scrutinizer-patch-1 <dev-snyk-upgrade-bc996b6b018fc6ea7d4263390981c31aFix Suggestion:
Update to version dev-snyk-upgrade-bc996b6b018fc6ea7d4263390981c31alimesurvey/limesurvey (PHP):
Affected version(s) =dev-travis-postgre <dev-update-testing-dependenciesFix Suggestion:
Update to version dev-update-testing-dependencieslimesurvey/limesurvey (PHP):
Affected version(s) =dev-scrutinizer-patch-3 <dev-snyk-upgrade-f2061a8270a5579306cb12524f53a6d4Fix Suggestion:
Update to version dev-snyk-upgrade-f2061a8270a5579306cb12524f53a6d4Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
LOW