Able to edit users owned by other administration users in limesurvey/limesurvey


Reported on

Jun 17th 2023


Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users.

Proof of Concept

Step 1: We have user1 owned by admin1. Untitled
Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 Untitled
Step 3: Now, admin2 is able to edit user1, and even delete user1 Untitled
Note that we can do the similar way with superadmin Untitled


Able to edit users owned by other administration users

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz
3 months ago


Please be patient while we verify the issue - internal reference #18918

Carsten Schmitz validated this vulnerability 3 months ago
blacklotus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.6 with commit 269007 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
Carsten Schmitz published this vulnerability 3 months ago
to join this conversation