Description

Allows a user who only has the authority to create surveys (not the administrator) to bypass validation and embed javascript schemes when creating surveys

Step to reproduce

• Login as administrator

1. Open User management and Create a user with create surveys only permissions.
2. Logout

• Attacker

1. Login as user with create surveys only permissions
2. Open Create survey and create a valid survey.
3. Click Setting and open text elements.
4. Fill javascript:alert(1)// in End URL and Save.
5. javascript:scheme is validated and changed to alert(1)//.
6. Fill javasjavascript:cript:alert(1)// in End URL and Save.
7. The saved result is javascript:alert(1)// and the javascript scheme can be embedded.(If you put text in the 'URL description:' field, the attack will be more successful because the URL will not be displayed when the link is displayed)
8. activate.

• Victim

1. Open the attacker-generated survey and finish the survey.
2. Click the link in final page.
3. Javascript execute.

Impact

Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.