Reflected XSS via "importFormat" parameter in limesurvey/limesurvey


Reported on

Jun 29th 2023


Please enter a description of the vulnerability.

Proof of Concept

  • Login as administrator or any user with access to User import/export feature.
  • Visit the following URL http://LIMESURVEY/index.php/userManagement/renderUserImport?importFormat=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E


An attacker can inject any HTML/Javascript code into the webpage in user context and perform actions on behalf of the administrator user.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
Niraj Khatiwada modified the report
3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
2 months ago


Internal tracking number: 18985

Denis Chenu modified the Severity from High (8) to High (8.8) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
tiborpacalat validated this vulnerability a month ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.1+230807 with commit 553f3c a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability a month ago
to join this conversation