Stored XSS in End page in limesurvey/limesurvey


Reported on

May 30th 2023


Allows a user who only has the authority to create surveys (not the administrator) to bypass validation and embed javascript schemes when creating surveys

Step to reproduce

  • Login as administrator
  1. Open User management and Create a user with create surveys only permissions.
  2. Logout
  • Attacker
  1. Login as user with create surveys only permissions
  2. Open Create survey and create a valid survey.
  3. Click Setting and open text elements.
  4. Fill javascript:alert(1)// in End URL and Save.
  5. javascript:scheme is validated and changed to alert(1)//.
  6. Fill javasjavascript:cript:alert(1)// in End URL and Save.
  7. The saved result is javascript:alert(1)// and the javascript scheme can be embedded.(If you put text in the 'URL description:' field, the attack will be more successful because the URL will not be displayed when the link is displayed)
  8. activate.
  • Victim
  1. Open the attacker-generated survey and finish the survey.
  2. Click the link in final page.
  3. Javascript execute.


Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.


This validation only removes the javascript: once, so if you include more than one, they can be embedded. You need to recurse and remove all of them.

We are processing your report and will contact the limesurvey team within 24 hours. 9 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 9 months ago
Carsten Schmitz validated this vulnerability 8 months ago
yujitounai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 6.1.7 with commit eaad89 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 7 months ago
LSYii_Validators.php#L73 has been validated
to join this conversation