IDOR in Group members in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

By manipulating the ugid, user who is not in group can view the members list of the group

Proof of Concept

Step 1: Go to User Group function, see that this user can only view this two groups. Step 2: Click on View a group, manipulate the ugid, confirm that this user can view the Group Members of other owners. Step 3: Verify that this group owner is demo

Impact

By manipulating the ugid, user who is not in group can view the members list of the group

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from Medium (6.5) to Medium (4.3) 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Please ba patient while we verify the issue. Intern issue number: 18935

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

tiborpacalat validated this vulnerability a month ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tiborpacalat marked this as fixed in 6.1.8+230717 with commit 5692fc a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

tiborpacalat published this vulnerability a month ago

to join this conversation