The user can delete himself in limesurvey/limesurvey

Valid

Reported on

Jun 14th 2023

Description

Bypassing the conditional check leads to the user can delete himself.

Proof of Concept

Step 1: The user with id 18834 attempts to delete himself but encounter an error Untitled

Step 2: By using userid=18834' instead of userid=18834, the user was able to successfully delete himself Untitled

Impact

The user can delete himself, leading to potential misbehavior of the application.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.3) to Medium (4.2) 3 months ago

Carsten Schmitz modified the CWE from Business Logic Errors to Improper Input Validation 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.4 with commit 96f20d 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jun 19th 2023

blacklotus

commented 3 months ago

Researcher

Hi @c-schmitz Could you pls assign a CVE for this issue? Thank you

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.3) to Medium (4.2) 3 months ago

Carsten Schmitz modified the CWE from Business Logic Errors to Improper Input Validation 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.4 with commit 96f20d 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jun 19th 2023

blacklotus

commented 3 months ago

Researcher

Hi @c-schmitz Could you pls assign a CVE for this issue? Thank you

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation