The ability to edit groups owned by any user. in limesurvey/limesurvey

Valid

Reported on

Jun 15th 2023

Description

The edit group function does not check the owner, allowing for the possibility to modify a group without being the owner of that group.

Proof of Concept

Step 1: We have User1 who owns Group 1 and Group 2; User5 who owns Group 5. Untitle

Untitle

Step 2: User1 performs an edit group action and changes the value of the ugid parameter to the groupId of User5. Untitle

Step 3: User1 successfully edits User5's group. Untitle

Impact

The ability to edit groups owned by any user.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

What global permissions does User1 have in your scenario?

blacklotus

commented 3 months ago

Researcher

user1 only have usergroup permission.

blacklotus

commented 3 months ago

Researcher

user1 and user5 with the same permission

Carsten Schmitz

commented 3 months ago

Maintainer

Internal reference (please ignore) : https://bugs.limesurvey.org/view.php?id=18915

Carsten Schmitz modified the Severity from High (7.1) to Medium (5.4) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.6 with commit d2ab1f 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

What global permissions does User1 have in your scenario?

blacklotus

commented 3 months ago

Researcher

user1 only have usergroup permission.

blacklotus

commented 3 months ago

Researcher

user1 and user5 with the same permission

Carsten Schmitz

commented 3 months ago

Maintainer

Internal reference (please ignore) : https://bugs.limesurvey.org/view.php?id=18915

Carsten Schmitz modified the Severity from High (7.1) to Medium (5.4) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.6 with commit d2ab1f 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation