Incorrect Authorization in User role in limesurvey/limesurvey


Reported on

Sep 27th 2023


Incorrect Authorization in User role

Proof of Concept

1 .Default, administrator (User ID =1 ) cannot add user roles

2 .Remove the "disable" class at Inspect

3 .After that, add the user role success

Video Poc


Add arbitrary user roles, do not authenticate users, affect permissions

We are processing your report and will contact the limesurvey team within 24 hours. 2 months ago
2 months ago


Internal tracking number: 19126

HaiNguyen modified the report
2 months ago
2 months ago


@tiborpacalat, I'm sorry for the inconvenience. Maybe I misunderstood CSRF. I have revised the report. Please check the report again. Thank very much.

We have contacted a member of the limesurvey team and are waiting to hear back 2 months ago
tiborpacalat validated this vulnerability 2 months ago
HaiNguyen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.11+231007 with commit e8dc90 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability 2 months ago
to join this conversation