CVE-2025-41076
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-21
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| limesurvey | limesurvey | 6.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In LimeSurvey version 6.13.0, an external user can trigger a server error (500 error) by sending a malformed session cookie. Instead of showing a generic error message, the system reveals internal backend details such as the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and parts of the conflicting content. This exposure can help an attacker learn about the internal architecture of the application.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive internal information about the LimeSurvey system's backend when a malformed session cookie is sent. Attackers can use this information to better understand the system's architecture, which may facilitate further attacks or exploitation attempts.