Description

The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "><script>alert(document.cookie)</script> in the Administrator name field and the XSS executes in the authenticated user's context as well as on the survey error page.

Proof of Concept

1: Login to LimeSurvey demo application: http://demo.limesurvey.org/index.php?r=admin/authentication/sa/login

2: Navigate to the surveys perspective and open the first survey "test" : https://demo.limesurvey.org/index.php?r=surveyAdministration/view&surveyid=569963

3: Scroll below to "Survey general settings" option

4: In survey settings, change the Inherit setting for Administrator to OFF and change the Administrator name to "><script>alert(document.cookie)</script>

5: Click on Save

6: The Javascript will execute. The reflection on the UI is below the Administrator input field, where the user entered input is displayed.

7: Additionally, the stored XSS also exists on the actual survey error page, if the survey does not have questions. To watch the XSS execute there as well, navigate to the survey page https://demo.limesurvey.org/index.php?r=survey/index&sid=569963&newtest=Y&lang=en

The XSS will execute.

Impact

The user's cookie is accessible via Javascript, and since this is a stored XSS, it could be used for mass account takeover. A malicious user could simply send a bad survey error page link with stored XSS to innocent users. The Javascript will then capture all those users cookie and send it to a server hosted by the malicious entity, who can take over all their accounts using their cookie.