Stored XSS in Survey Groups Function in limesurvey/limesurvey

Valid

Reported on

Jun 9th 2023

Description

By Injecting the payloads to the fields (Title, Description), users who visited "Survey list" screen maybe compromises

Proof of Concept

Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Imgur

Step 2: Inject the payload to the fields (Title, Description), click "Save" button Payload: <img src=x onerror=alert(1)> Imgur

Step 3: The payload is then executed Imgur

Step 4: Visit the Survey list screen, we can see the payload is also triggered URL: http://localhost/index.php?r=surveyAdministration/listsurveys Imgur

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz validated this vulnerability 3 months ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tuannq2299

commented 3 months ago

Researcher

Can you assign a CVE for this vulnerability?

Carsten Schmitz marked this as fixed in 6.1.6 with commit f0416d 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jun 26th 2023

Carsten Schmitz gave praise 3 months ago

Thank you!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation