Reflected XSS via "importFormat" parameter in limesurvey/limesurvey

Valid

Reported on

Jun 29th 2023

Description

Please enter a description of the vulnerability.

Proof of Concept

Login as administrator or any user with access to User import/export feature.
Visit the following URL http://LIMESURVEY/index.php/userManagement/renderUserImport?importFormat=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

Impact

An attacker can inject any HTML/Javascript code into the webpage in user context and perform actions on behalf of the administrator user.

References

https://owasp.org/www-community/attacks/xss/

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

Niraj Khatiwada modified the report

3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

tiborpacalat

commented 2 months ago

Maintainer

Internal tracking number: 18985

Denis Chenu modified the Severity from High (8) to High (8.8) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

tiborpacalat validated this vulnerability a month ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tiborpacalat marked this as fixed in 6.2.1+230807 with commit 553f3c a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

tiborpacalat published this vulnerability a month ago

to join this conversation