Primary

Context

LimeSurvey 6.13.0 Session Cookie Injection Vulnerability Leading to Internal Information Disclosure

Vulnerability

Patched

A vulnerability in LimeSurvey version 6.13.0 allows external users to cause a 500 error by sending a malformed session cookie. This error response reveals internal backend details, including the Yii framework, MySQL/MariaDB database engine, the 'lime_sessions' table, primary keys, and fragments of the conflicting content. Such information could aid an attacker in understanding the application's internal architecture.

Impact

Exploitation of this vulnerability causes a 500 error, but not before disclosing sensitive internal information that could be used to understand the application's architecture and potentially exploit other vulnerabilities.

Remediation

Users can upgrade to LimeSurvey version 6.15.0 to address this vulnerability.

Added: Nov 20, 2025, 3:29 PM

Updated: Nov 20, 2025, 3:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LimeSurvey 6.13.0 Session Cookie Injection Vulnerability Leading to Internal Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

LimeSurvey

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating