Stored XSS in Notification and Data Management in limesurvey/limesurvey

Valid

Reported on

Feb 28th 2023

Description

Please enter a description of the vulnerability.

Proof of Concept

Go to a survey and to Settings => Notifications and data.
Turn off Inherit option for Send basic notification email to: or Send basic notification email to:
Enter the following payload: "><svg/onload=alert(document.cookie)> and Save.

Impact

Account Takeover by stealing cookies
Malicious client side code execution on webpage context

Occurrences

_notification_panel.php L236

_notification_panel.php L212

References

OWASP

We are processing your report and will contact the limesurvey team within 24 hours. 9 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 9 months ago

Carsten Schmitz modified the Severity from Medium (4.3) to Medium (4.3) 8 months ago

Carsten Schmitz validated this vulnerability 8 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz

commented 8 months ago

Maintainer

Thank you. We are wokring on a fix.

Carsten Schmitz marked this as fixed in 5.6.12 with commit ef1ca0 8 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Mar 27th 2023

_notification_panel.php#L236 has been validated

_notification_panel.php#L212 has been validated

Carsten Schmitz gave praise 8 months ago

Thank you!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Carsten Schmitz published this vulnerability 8 months ago

to join this conversation