Stored XSS in Notification and Data Management in limesurvey/limesurvey

Valid

Reported on

Feb 28th 2023

Description

Please enter a description of the vulnerability.

Proof of Concept

  1. Go to a survey and to Settings => Notifications and data.
  2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to:
  3. Enter the following payload: "><svg/onload=alert(document.cookie)> and Save.

Impact

  • Account Takeover by stealing cookies
  • Malicious client side code execution on webpage context

References

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz modified the Severity from Medium (4.3) to Medium (4.3) 2 months ago
Carsten Schmitz validated this vulnerability 2 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
2 months ago

Thank you. We are wokring on a fix.

Carsten Schmitz marked this as fixed in 5.6.12 with commit ef1ca0 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Mar 27th 2023
_notification_panel.php#L236 has been validated
_notification_panel.php#L212 has been validated
Carsten Schmitz gave praise 2 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation