Stored XSS in the delete confirmation popup in limesurvey/limesurvey
Jun 15th 2023
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Proof of Concept
Step1: The user with the privilege to create group creates a new group by passing a payload into the "name" field.
' onclick=alert(1) '
Step2: Another user accesses the group management function and performs a group deletion. When the victim clicks the delete button, an XSS payload is triggered.
An attacker can steal cookies or manipulate the victim to send requests to perform unintended actions,...