Improper Authorization leads to privilege escalation in limesurvey/limesurvey


Reported on

Jun 15th 2023


The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others.

Proof of Concept

Step1: The highest-level administrator or an administrator with the permission to create roles creates a role named 'super admin' with full privileges


Step2: The user has the authority to manage users and can modify their own role by opening the Inspector window and removing the 'disable' class.


Step3: Selects the 'super admin' role and clicks save. The user's permissions have now been changed.



The user with the user management role can change the role of anyone, including themselves.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz validated this vulnerability 3 months ago
aqngoc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
3 months ago


Duplicate of

3 months ago


I can't view, access denied

Carsten Schmitz marked this as fixed in 6.1.6 with commit a2eece 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
3 months ago


Can it be assigned a CVE?

Carsten Schmitz published this vulnerability 3 months ago
to join this conversation