Stored XSS via user's Full Name in limesurvey/limesurvey


Reported on

Jun 29th 2023


The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion.

Proof of Concept

  • Login as a normal user and change the Full name to:
" accesskey="X" onclick="alert(document.domain)

  • Login as a privileged user who can manage users such as an administrator.
  • Go to user management page and select the corresponding user and click on Delete user.
  • Press ALT+SHIFT+X on Windows or CTRL+ALT+X on OS X. The XSS payload will execute.


A normal user can add XSS payload in their full name and can trick privileged user into executing them. This enables the normal user to perform actions on behalf of administrators through the attached payload.


We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
2 months ago


Internal tracking number: 18974

tiborpacalat validated this vulnerability 2 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.0+230732 with commit 332497 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability 2 months ago
to join this conversation