Stored XSS in Notification and Data Management in limesurvey/limesurvey


Reported on

Feb 28th 2023


Please enter a description of the vulnerability.

Proof of Concept

  1. Go to a survey and to Settings => Notifications and data.
  2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to:
  3. Enter the following payload: "><svg/onload=alert(document.cookie)> and Save.


  • Account Takeover by stealing cookies
  • Malicious client side code execution on webpage context


We are processing your report and will contact the limesurvey team within 24 hours. 9 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 9 months ago
Carsten Schmitz modified the Severity from Medium (4.3) to Medium (4.3) 8 months ago
Carsten Schmitz validated this vulnerability 8 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
8 months ago


Thank you. We are wokring on a fix.

Carsten Schmitz marked this as fixed in 5.6.12 with commit ef1ca0 8 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Mar 27th 2023
Carsten Schmitz gave praise 8 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Carsten Schmitz published this vulnerability 8 months ago
to join this conversation