LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*"
],
"vendor_product": "limesurvey:limesurvey",
"extracted_events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.7"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"
],
"vendor_product": "debian:debian_linux",
"extracted_events": [
{
"introduced": "7.0"
},
{
"last_affected": "7.0"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.73.1"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.4.2"
}
],
"source": "CPE_RANGE"
}