LimeSurvey 3.17.15+190903
3 September 2019
LimeSurvey version 3.17.15+190903 is now available (security release).
Upgrading to LimeSurvey 3.17.15+190903
LimeSurvey 3.17.15+190903 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply LimeSurvey updates as new versions are released, or use Installatron's Clone feature to duplicate an existing LimeSurvey install to test the 3.17.15+190903 upgrade prior to applying it live. Get started managing your LimeSurvey installations with Installatron
What's New in LimeSurvey 3.17.15+190903
3.17.15
Bug Fixes
- Settings and Structure tabs are broken - no action happens
3.17.14
Security
- XSS in admin box buttons - kindly reported by Pavol Michalec & Frederik Koľbík
- XML breakout possible on export - kindly reported by Pavol Michalec & Frederik Koľbík
- X-Frame-Options SAMEORIGIN not set by default - kindly reported by Pavol Michalec & Frederik Koľbík
- User unaware that SSL encryption should be enforced
- Path revelation
- LDAP login non-generic login message - kindly reported by Pavol Michalec & Frederik Koľbík
- LDAP login non-generic login message - kindly reported by Pavol Michalec & Frederik Koľbík
- Equation signs are not masked by default on data export
- Equation signs are not masked by default on data export
- CSRF cookie missing HTTP only parameter- kindly reported by Pavol Michalec & Frederik Koľbík
- Admin user without permissions can still see plugins page - kindly reported by Pavol Michalec & Frederik Koľbík
- Admin user with settings permissions can can run integrity check - kindly reported by Pavol Michalec & Frederik Koľbík
- Admin user with limited permissions can view/update/delete reserved menu entries
- Admin user can mark other user notification as read
- Database backup uses browser cache
- Browser cache used for exports
- Stored XSS vulnerabilities - Thanks to J. Greil from the SEC Consult Vulnerability Lab
- Reflected XSS vulnerabilities - thanks to J. Greil from the SEC Consult Vulnerability Lab
- Survey upload self-reflecting XSS
Bug Fixes
- Sidebar not working on IE11
- Memory issues if too many responses exist for the same token in a non-anonymous survey
- Memory issues if too many responses exist for the same token in a non-anonymous survey
- LsTutorial only working in debug mode
- Language not updated on import and overwrite in CPDB
- JS error in firstStartTour onShow code
- After survey activation the ExpressionManager cache was not updated
- Survey navigation shows message "Please use the survey navigation buttons...[]" instead of navigating
- 500 error when try to save long administrator name
- MSSQL error on 2nd page of theme
- MSSQL : date/time question are not reloaded properly
- Submitting empty menu entry crashes application
- Unable to remove page title from PDF generated at "print answers" screen
- entering html code inside the answeroptions for List type questions will break/alter the html for editing answers
- Access Label sets list
- Extending core theme using the same core theme name
- Commit test! Ignore
- setting "Show header in answers export PDFs" not taken in account
3.17.13
Bug Fixes
- Surveys with less or more then 4-6 digits will not display the sidepanel
3.17.12
Bug Fixes
- Sub Questions cannot be deleted
3.17.11
Bug Fixes
- sidepanel breaking on surveys with a 5 digit id
- adding and deleting os subquestion and answers broken
3.17.10
Security
- XSS with contructor statements in textedit
- Check both mime type and file extension when validating image
- XSS when use Predefined label sets
- XSS in label title
- XSS in Boxes
Bug Fixes
- cannot save questions anymore
- Tagalog translation not available
- Panel integration 500 error
- Ranking question on mobile devices
- The Button "exit and clear survey entrys" should not be on the last page
- "Go to survey" menu icon not working in collapsed menu mode
3.17.9
Security
- File extension not filtered, possible XSS
Highlights
- allow user to upload custom twig extensions
Bug Fixes
- setting admin password with CLI database installation fails
- Other option with number only erases decimal comma - with NO warning
3.17.8
Bug Fixes
- redirection after adding ComfortUpdate Key
- Adding ComfortUpdate key at leads to blank screen
- Problem can't upload file on some server
- Limesurvey users with limited rights get "undefined" error message when trying to upload a file at the survey theme options
- use Survey::model in command plugin reset theme
- Green bar after calculating storage
3.17.7
Bug Fixes
- In IE, for an Array question the radio buttons disappear when resizing the page to the point the answers start to stack
- Fixed invalid ajaxUpdate setting "true" causing issues for other scripts
- No CPDB grid refresh after adding a new entry
- Panel integration not displayed in French
- Show correct id attribute for additional attributes
- ComfortUpdate download counts incorrect
3.17.6
Security
- Unauthorized admin can create new user using Authdb plugin
Bug Fixes
- Comparaison String and Numeric is different in same page and other page
- Questions with Expresion Manager code are not shown properly at Quota overview
- Opening and ending tag issue on token edit form
- 'Show pop-ups' 'Off'-setting not working anymore
- Prevent SID of -1 during import
- Preview group : relevance on question broken
- Loss of data when loading a non finished survey
- Charts in Statistics are not showing completely - added check
- Checkbox radio Y scale don't shown in little screen
- Array checkbox : all EM usage in same page is broken
- Validation code uneditable
- Missing noanswer-item class for 5 point choice array
- Preview question not working
- Usage of self.NAOK insique all question part are broken
- HTML tables have a missing cell in statistics
- missing noanswer-item class for array by column