Incorrect Authorization leads to delete user in limesurvey/limesurvey
Jun 15th 2023
The application is experiencing incorrect permission settings, leading to the user with user administration rights being able to delete anyone, including users who are not under their management authority.
Proof of Concept
Step1:The User Demo (super admin) creates a user admin with user management privileges, but this user admin can only delete users created by themselves.
Step2: The user admin opens the Inspector window in the browser and removes the "disable" class to be able to click on the "delete user" button.
Step3: After clicking "Delete user," a popup window appears, and the user admin clicks "delete" to proceed. User admin2, created by the demo user, will be removed.
Other users or higher-level administrators can be deleted, resulting in them being unable to access the system anymore.