We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

The user can put their survey in the survey groups even though this survey group is not in public mode in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

The user can put their survey in the survey groups even though this survey group is not in public mode

Proof of Concept

Step 1: The survey group SG03 isn't in public mode Untitled
Step 2: In the "Survey groups" tab, User2 (with only survey permission) only sees the survey group Default Untitled
Step 3: But when performing "Change survey group" action, User2 can see the survey group SG03 and put a survey in this group Untitled
Step 4: A survey is put in SG03 successfully Untitled
Untitled

Impact

The user can put their survey in the survey groups even though this survey group is not in public mode

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
blacklotus
2 months ago

Researcher

hello any update on this vulnerability?

tiborpacalat
2 months ago

Maintainer

Internal tracking number: 18979

tiborpacalat validated this vulnerability a month ago
blacklotus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.1+230807 with commit 455646 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability a month ago
to join this conversation