Unauthorized access to Survey menu entries in limesurvey/limesurvey


Reported on

Jun 29th 2023


The application is not properly verifying the authorization of users accessing survey menu entries.

Proof of Concept

  1. Login as a user with limited privilege. In my case the user permission is set as follows and has no access to surveys.
  2. Visit http://LIMESURVEY/index.php/admin/menus/sa/view to view the survey menu entries.


Unauthorized users can access data and features that they are not permitted to.

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
4 months ago


Internal tracking number: 19002

Niraj Khatiwada modified the report
4 months ago
tiborpacalat validated this vulnerability 2 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.6+230904 with commit b7e7da 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability 2 months ago
index.php#L1-L75 has been validated
to join this conversation