Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Limesurvey

Posted date 20/11/2025
Identificador
INCIBE-2025-0651
Importance
3 - Medium
Affected Resources

LimeSurvey, version 6.13.0.

Description

INCIBE has coordinated the publication of 3 medium-severity vulnerabilities affecting Limesurvey 6.13.0, an online survey application. The vulnerabilities were discovered by Julen Garrido Estevez.

INCIBE ha coordinado la publicación de 3 vulnerabilidades de severidad media y, que afectan a Limesurvey 6.13.0 de Limesurvey, una aplicación de encuestas en línea. Las vulnerabilidades han sido descubiertas por Julen Garrido Estevez.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2025-41074: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N | CWE-835
  • CVE-2025-41075: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N | CWE-835
  • CVE-2025-41076: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
Solution

The vulnerabilities have been fixed by the Limesurvey team in the version 6.15.0.

Detail
  • Vulnerability in LimeSurvey 6.13.0 that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS  attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.
    • CVE-2025-41074: in the endpoint '/optout'.
    • CVE-2025-41075: in the endpoint '/optin'.
  • CVE-2025-41076: In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker. 
CVE
Explotación
No
Fabricante
limesurvey
Identificador CVE
CVE-2025-41074
Severidad
Media
Explotación
No
Fabricante
limesurvey
Identificador CVE
CVE-2025-41075
Severidad
Media
Explotación
No
Fabricante
limesurvey
Identificador CVE
CVE-2025-41076
Severidad
Media
References list
LimeSurvey Herramienta de encuestas gratuita
Etiquetas