Able to change username that is by default unchangeable in limesurvey/limesurvey

Valid

Reported on

Jun 14th 2023

Description

The website receives input from the user that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Proof of Concept

Step 1: We have a user with ID 18833 and the username is user1, which cannot be changed. Untitled Step 2: Choose Edit user and click Save button, intercept the HTTP request. We add User[users_name]=user1-changed to the body data of the HTTP request and then send it. Step 3: As we can see the username of user 18833 has been changed to user1-changed

Note that: we can change the username of the Superadmin demo by adding User[uid]=1' (id of user demo is 1) Untitled

Impact

Able to change the username field that is by default unchangeable

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.2) to Medium (5.5) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.5 with commit 46e2bb 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

blacklotus modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz modified the Severity from High (7.2) to Medium (5.5) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 3 months ago

blacklotus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.5 with commit 46e2bb 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation