privilege escalation bug to edit survey in limesurvey/limesurvey

Valid

Reported on

Oct 10th 2023

BUG

normal user can edit any survey

AFFTED VERSION

6.2.10

SUMMRUY

normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group .

STEP TO REPRODUCE

1. There is already a superadmin(user-A) present .
2. now from user-A account add new user called "user-B" .
3. Gives bellow permission for user-B \

Survey groups  --> create and view 
Surveys ---> view

so, as per permission user-B cant edit any survey

4. now user-A create a survey called "survey-A" . user-B cant edit this survey .

5. now goto user-B account and here user-B can see above survey-A but cant edit this .

6. Now user-B create a survey-group called group-B and owner is himself of this group .

7. now user-B change the survey group of survey-A to group-B . check image https://imgur.com/ZmsBSMo

8. After this user-B can edit the survey-A

Impact

normal user can edit any survey

We are processing your report and will contact the limesurvey team within 24 hours. 2 months ago

tiborpacalat

commented 2 months ago

Internal tracking number: 19169

We have contacted a member of the limesurvey team and are waiting to hear back 2 months ago

tiborpacalat validated this vulnerability a month ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tiborpacalat marked this as fixed in 6.3.2+231031 with commit 35d09e a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

tiborpacalat published this vulnerability a month ago

to join this conversation