Stored Cross-Site Scripting in survey administrator name in limesurvey/limesurvey


Reported on

Feb 16th 2023


The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "><script>alert(document.cookie)</script> in the Administrator name field and the XSS executes in the authenticated user's context as well as on the survey error page.

Proof of Concept

1: Login to LimeSurvey demo application:

2: Navigate to the surveys perspective and open the first survey "test" :

3: Scroll below to "Survey general settings" option

4: In survey settings, change the Inherit setting for Administrator to OFF and change the Administrator name to "><script>alert(document.cookie)</script>

5: Click on Save

6: The Javascript will execute. The reflection on the UI is below the Administrator input field, where the user entered input is displayed.

7: Additionally, the stored XSS also exists on the actual survey error page, if the survey does not have questions. To watch the XSS execute there as well, navigate to the survey page

The XSS will execute.


The user's cookie is accessible via Javascript, and since this is a stored XSS, it could be used for mass account takeover. A malicious user could simply send a bad survey error page link with stored XSS to innocent users. The Javascript will then capture all those users cookie and send it to a server hosted by the malicious entity, who can take over all their accounts using their cookie.

We are processing your report and will contact the limesurvey team within 24 hours. a month ago
a month ago


Have added a video of detailed steps to reproduce in this video:

We have contacted a member of the limesurvey team and are waiting to hear back a month ago
Carsten Schmitz modified the Severity from High (7.6) to Medium (4.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability a month ago
ar6aaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.6 with commit 4d39d1 a month ago
Carsten Schmitz has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023
Carsten Schmitz published this vulnerability a month ago
to join this conversation