CVE-2019-25019 – This SQL injection vulnerability in LimeSurvey'... (How to Fix)

Q: What is the severity of CVE-2019-25019?

CVE-2019-25019 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in LimeSurvey's participant model allows attackers to execute arbitrary SQL commands on the database. It affects all LimeSurvey installations before version 4.0.0-RC4, potentially compromising survey data and system integrity.

📋 TL;DR

This SQL injection vulnerability in LimeSurvey's participant model allows attackers to execute arbitrary SQL commands on the database. It affects all LimeSurvey installations before version 4.0.0-RC4, potentially compromising survey data and system integrity.

💻 Affected Systems

Products:

LimeSurvey

Versions: All versions before 4.0.0-RC4

Operating Systems: All platforms running LimeSurvey

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all LimeSurvey installations with participant management functionality enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized access to survey participant data, potential extraction of sensitive information, and database manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only affecting non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection typically requires some level of access but can be exploited through various user input vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.0-RC4 and later

Vendor Advisory: https://community.limesurvey.org/release/191008/

Restart Required: No

Instructions:

1. Backup your LimeSurvey installation and database. 2. Download LimeSurvey 4.0.0-RC4 or later from the official repository. 3. Replace the affected files with the patched version. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and parameterized queries for participant model functions

Database Permission Restriction

all

Restrict database user permissions to minimum required operations

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Disable or restrict access to participant management functionality if not required

🔍 How to Verify

Check if Vulnerable:

Check LimeSurvey version in administration panel or by examining the installation files for version markers.

Check Version:

Check the version in LimeSurvey admin panel or examine /application/config/version.php file

Verify Fix Applied:

Verify installation shows version 4.0.0-RC4 or later in the administration interface.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or unusual participant data access patterns

Network Indicators:

Unusual HTTP POST requests to participant-related endpoints with SQL-like payloads

SIEM Query:

source="web_server" AND (url="*participant*" AND (payload="*SELECT*" OR payload="*UNION*" OR payload="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2019-25019

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 14, 2021

Last Updated: November 21, 2024

🔗 References

https://community.limesurvey.org/release/191008/ Release Notes,Vendor Advisory
https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txt Release Notes,Third Party Advisory
https://community.limesurvey.org/release/191008/ Release Notes,Vendor Advisory
https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txt Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25019, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Limesurvey by Limesurvey

Limesurvey by Limesurvey

Limesurvey by Limesurvey

Limesurvey by Limesurvey

Limesurvey by Limesurvey

Limesurvey by Limesurvey

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Database Permission Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities