Incorrect Authorization leads to delete user in limesurvey/limesurvey

Valid

Reported on

Jun 15th 2023

Description

The application is experiencing incorrect permission settings, leading to the user with user administration rights being able to delete anyone, including users who are not under their management authority.

Proof of Concept

Step1:The User Demo (super admin) creates a user admin with user management privileges, but this user admin can only delete users created by themselves.

Untitled

Step2: The user admin opens the Inspector window in the browser and removes the "disable" class to be able to click on the "delete user" button.

Untitled

Step3: After clicking "Delete user," a popup window appears, and the user admin clicks "delete" to proceed. User admin2, created by the demo user, will be removed.

Untitled

Untitled

Impact

Other users or higher-level administrators can be deleted, resulting in them being unable to access the system anymore.

We are processing your report and will contact the limesurvey team within 24 hours. 6 months ago
aqngoc modified the report
6 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 6 months ago
Carsten Schmitz validated this vulnerability 5 months ago
aqngoc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
aqngoc
5 months ago

Researcher

Can you assign CVE for this vulnerability ?

Carsten Schmitz marked this as fixed in 6.1.6 with commit 4824bc 5 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
Carsten Schmitz published this vulnerability 5 months ago
to join this conversation