Able to edit users owned by other administration users in limesurvey/limesurvey

Valid

Reported on

Jun 17th 2023


Description

Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users.

Proof of Concept

Step 1: We have user1 owned by admin1. Untitled
Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 Untitled
Untitled
Step 3: Now, admin2 is able to edit user1, and even delete user1 Untitled
Note that we can do the similar way with superadmin Untitled

Impact

Able to edit users owned by other administration users

We are processing your report and will contact the limesurvey team within 24 hours. 8 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 8 months ago
Carsten Schmitz
8 months ago

Maintainer


Please be patient while we verify the issue - internal reference #18918

Carsten Schmitz validated this vulnerability 8 months ago
trongdaong24 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.6 with commit 269007 8 months ago
The fix bounty has been dropped
This vulnerability has now been published 8 months ago
to join this conversation