privilege escalation bug to edit survey in limesurvey/limesurvey


Reported on

Oct 10th 2023


normal user can edit any survey




normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group .


1. There is already a superadmin(user-A) present .
2. now from user-A account add new user called "user-B" .
3. Gives bellow permission for user-B \

Survey groups  --> create and view 
Surveys ---> view

so, as per permission user-B cant edit any survey

4. now user-A create a survey called "survey-A" . user-B cant edit this survey .

5. now goto user-B account and here user-B can see above survey-A but cant edit this .

6. Now user-B create a survey-group called group-B and owner is himself of this group .

7. now user-B change the survey group of survey-A to group-B . check image

8. After this user-B can edit the survey-A


normal user can edit any survey

We are processing your report and will contact the limesurvey team within 24 hours. 2 months ago
2 months ago

Internal tracking number: 19169

We have contacted a member of the limesurvey team and are waiting to hear back 2 months ago
tiborpacalat validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.3.2+231031 with commit 35d09e a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
tiborpacalat published this vulnerability a month ago
to join this conversation