Stored XSS on Survey "Notification and data function" in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

Users with edit and update survey permission can perform an XSS

Proof of Concept

Update the "Send basic admin notification email to" field with this value test"><img src=x onerror=alert(document.domain)>

Access the survey and the payload will be triggerred.

Impact

An attacker can manipulate the admin user to send requests to perform unintended actions on the admin browser.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

hiu240900 modified the report

3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Please be patient while we verify the issue. Internal issue number: #18928

hiu240900

commented 3 months ago

Researcher

Take your time, if any further information is needed just leave a message here.

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.6) to Medium (6.3) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 2 months ago

hiu240900 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.7 with commit e126e3 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

hiu240900 modified the report

3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Please be patient while we verify the issue. Internal issue number: #18928

hiu240900

commented 3 months ago

Researcher

Take your time, if any further information is needed just leave a message here.

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.6) to Medium (6.3) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 2 months ago

hiu240900 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.7 with commit e126e3 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation