Stored XSS in Survey Groups Function in limesurvey/limesurvey


Reported on

Jun 9th 2023


By Injecting the payloads to the fields (Title, Description), users who visited "Survey list" screen maybe compromises

Proof of Concept

Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Imgur

Step 2: Inject the payload to the fields (Title, Description), click "Save" button Payload: <img src=x onerror=alert(1)> Imgur

Step 3: The payload is then executed Imgur

Step 4: Visit the Survey list screen, we can see the payload is also triggered URL: http://localhost/index.php?r=surveyAdministration/listsurveys Imgur


If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

We are processing your report and will contact the limesurvey team within 24 hours. 8 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 8 months ago
Carsten Schmitz validated this vulnerability 8 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
8 months ago


Can you assign a CVE for this vulnerability?

Carsten Schmitz marked this as fixed in 6.1.6 with commit f0416d 8 months ago
The fix bounty has been dropped
Carsten Schmitz gave praise 8 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
This vulnerability has now been published 8 months ago
to join this conversation