Stored XSS in the delete confirmation popup in limesurvey/limesurvey

Valid

Reported on

Jun 15th 2023


Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Step1: The user with the privilege to create group creates a new group by passing a payload into the "name" field.

' onclick=alert(1) '

Untitled

Step2: Another user accesses the group management function and performs a group deletion. When the victim clicks the delete button, an XSS payload is triggered.

Untitled

Impact

An attacker can steal cookies or manipulate the victim to send requests to perform unintended actions,...

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
aqngoc modified the report
3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
aqngoc modified the report
3 months ago
aqngoc modified the report
3 months ago
Carsten Schmitz
3 months ago

Maintainer


We are investigating if this is a duplicate. Please stay tuned (internal issue #18917 )

Carsten Schmitz validated this vulnerability 3 months ago
aqngoc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.6 with commit 2ac580 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
aqngoc
3 months ago

Researcher


Sorry! I submitted 4 cases where this vulnerability appeared, so why can't I get more bonuses

Carsten Schmitz
3 months ago

Maintainer


I am sorry, but I don't know what you mean. Can you explain?

aqngoc
3 months ago

Researcher


When I reported, I listed 4 occurrences, so why can't I get more bonuses? After the @maintainer validated the vulnerabilities, I saw a display of $24, but now it's only $15. @admin, could you please explain this to me? Thank you.

Carsten Schmitz
3 months ago

Maintainer


I am the maintainer and I have no clue. You will have to ask the people running huntr.dev. The maintainer does not set how high a bounty is, it is automatically calculated.

Carsten Schmitz published this vulnerability 3 months ago
to join this conversation