IDOR - Users can change Administrator information (User ID = 1 ) in limesurvey/limesurvey

Valid

Reported on

Sep 21st 2023


Description

IDOR - Users can change Administrator information (User ID = 1 )

Proof of Concept

1 .Create an account with all rights.

2 .Detect default the administrator (user ID = 1) information cannot be changed.

3 .Broken access control, can change administrator information (user ID = 1)

Video Poc

https://drive.google.com/file/d/1op6Pvst1VgftjJD9TIHkYlLkAIgBpvNs/view?usp=sharing

Impact

The attacker will have an administrator account. It will cause serious consequences

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
tiborpacalat
5 months ago

Internal tracking number: 19107

We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
HaiNguyen modified the report
5 months ago
HaiNguyen modified the report
5 months ago
HaiNguyen
4 months ago

Researcher


Hi, any new update for this ?

tiborpacalat validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
HaiNguyen
4 months ago

Researcher


Hi, any new update ?

HaiNguyen
4 months ago

Researcher


Hi, I also see this error has been fixed with version 6.3.0. Are there any new updates? Thank you

tiborpacalat marked this as fixed in 6.3.2+231031 with commit 9b54a8 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation