Bootstrap-switch 3.3.2 in use which is vulnerable to XSS in limesurvey/limesurvey

Valid

Reported on

Feb 21st 2023

Description

Bootstrap-switch 3.3.2 in use which is vulnerable to XSS

Proof of Concept

1) Go to https://demo.limesurvey.org/tmp/assets/12fba870/js/bootstrap-switch.min.js and note that Bootstrap-switch is using 3.3.2
2) Check https://github.com/LimeSurvey/LimeSurvey/blob/master/assets/packages/bootstrap/plugins/switch/js/bootstrap-switch.js and note that Bootstrap-switch is using 3.3.2
3) Go to https://security.snyk.io/vuln/SNYK-JS-BOOTSTRAPSWITCH-597113 and note the version is vulnerable to XSS.
4) Execute the poc
Reference: https://jsfiddle.net/876myrk5/
Reference: https://github.com/Bttstrp/bootstrap-switch/pull/730

Impact

This vulnerability is capable of XSS upon executing the proof of concept.

We are processing your report and will contact the limesurvey team within 24 hours. 9 months ago

Joshua Chan modified the report

9 months ago

Carsten Schmitz validated this vulnerability 9 months ago

Joshua Chan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz marked this as fixed in 5.6.8 with commit 34d67e 9 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 27th 2023

Carsten Schmitz gave praise 9 months ago

Thank you!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Carsten Schmitz published this vulnerability 9 months ago

to join this conversation