IDOR in notification function in limesurvey/limesurvey


Reported on

Jun 26th 2023


By manipulating the notId, a user can view the notification of other users

Proof of Concept

Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the notification of user demo


By manipulating the notID, the attacker can view the notification of any user if he knows the notId which is guessable

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz modified the Severity from Medium (6.5) to Medium (4.3) 3 months ago
Carsten Schmitz
3 months ago


Internal reference: #18923

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 3 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.7 with commit 97859d 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation