Stored XSS via user's Full Name in limesurvey/limesurvey
Jun 29th 2023
Proof of Concept
- Login as a normal user and change the Full name to:
" accesskey="X" onclick="alert(document.domain)
- Login as a privileged user who can manage users such as an administrator.
- Go to user management page and select the corresponding user and click on
ALT+SHIFT+Xon Windows or
CTRL+ALT+Xon OS X. The XSS payload will execute.
A normal user can add XSS payload in their full name and can trick privileged user into executing them. This enables the normal user to perform actions on behalf of administrators through the attached payload.