Stored XSS in Survey Groups Function in limesurvey/limesurvey
Jun 9th 2023
By Injecting the payloads to the fields (Title, Description), users who visited "Survey list" screen maybe compromises
Proof of Concept
Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button.
Step 2: Inject the payload to the fields (Title, Description), click "Save" button
<img src=x onerror=alert(1)>
Step 3: The payload is then executed
Step 4: Visit the Survey list screen, we can see the payload is also triggered URL: http://localhost/index.php?r=surveyAdministration/listsurveys
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.