Unauthorized access to Survey menu entries in limesurvey/limesurvey
Jun 29th 2023
The application is not properly verifying the authorization of users accessing
survey menu entries.
Proof of Concept
- Login as a user with limited privilege. In my case the user permission is set as follows and has no access to surveys.
http://LIMESURVEY/index.php/admin/menus/sa/viewto view the survey menu entries.
Unauthorized users can access data and features that they are not permitted to.