Stored XSS on Survey "Notification and data function" in limesurvey/limesurvey


Reported on

Jun 28th 2023


Users with edit and update survey permission can perform an XSS

Proof of Concept

Log in with any user with this permission image

Update the "Send basic admin notification email to" field with this value test"><img src=x onerror=alert(document.domain)> image

Access the survey and the payload will be triggerred. image


An attacker can manipulate the admin user to send requests to perform unintended actions on the admin browser.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
hiu240900 modified the report
3 months ago
Carsten Schmitz
3 months ago


Please be patient while we verify the issue. Internal issue number: #18928

3 months ago


Take your time, if any further information is needed just leave a message here.

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz modified the Severity from High (7.6) to Medium (6.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 2 months ago
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.7 with commit e126e3 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation