stored xss in limesurvey/limesurvey

Valid

Reported on

Feb 16th 2023

Description

stored xss bug

SUMMURY

here i uses demo installation https://demo.limesurvey.org/ in firefox browser

Proof of Concept

login into any user account who has permission to view the survey and visit url https://demo.limesurvey.org/index.php?r=questionAdministration/edit&questionId=1389&landOnSideMenuTab=structure&tabOverviewEditor=xss%22%27%3E%3Cimg+src=x+onerror=alert()%3E and see xss is exeuted

here in this url you need to change questionId parameter value to any valid question id

Plz let me know if need more info . Due to lack of time i submitted this small report

Impact

using this xss attacker can execute any javascript code in victim account

We are processing your report and will contact the limesurvey team within 24 hours. a month ago
We have contacted a member of the limesurvey team and are waiting to hear back a month ago
Carsten Schmitz modified the Severity from Critical (9.1) to Medium (4.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.6 with commit 7b2bca a month ago
Carsten Schmitz has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023
create.php#L34-L172 has been validated
questionEditor.js#L1950-L2121 has been validated
Carsten Schmitz gave praise a month ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Carsten Schmitz published this vulnerability a month ago
to join this conversation