Add arbitrary users to the user group in limesurvey/limesurvey

Valid

Reported on

Sep 26th 2023


Description

Add arbitrary users to the user group

Proof of Concept

1 .Administrator user (haido456) creates a user group name : group456

2 .User hai123 has general user rights but has the right to add arbitrary users to the user group: group456

3 .This includes users that the admin does not want added to the group.

Video Poc

https://drive.google.com/file/d/1XTo-ecnmTFOebAygBJO0jKKroEuX0ONt/view?usp=sharing

Impact

Security risk: This vulnerability could pose a security risk because user "haido123" has the ability to add user preferences to the group without any control. This can lead to unauthorized access to important resources or information.

Reduced access control: The administrator (admin) cannot correctly control access to the group to automatically add members of user "haido123". This can result in users not being granted access to resources or information that they should not have.

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
tiborpacalat
5 months ago

Can you please make the video link accessible?

HaiNguyen
5 months ago

Researcher


@tiborpacalat, sorry, yes I edited Video Poc's copyright. You can check the report again. Thank you.

We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
tiborpacalat
5 months ago

This is wrong video, but I'll try to reproduce the issue.

HaiNguyen
5 months ago

Researcher


@tiborpacalat, Sorry for posting the wrong Poc Video. I will resend: https://drive.google.com/file/d/1XTo-ecnmTFOebAygBJO0jKKroEuX0ONt/view?usp=sharing

HaiNguyen modified the report
5 months ago
tiborpacalat
5 months ago

Internal tracking number: 19134

tiborpacalat validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.2.11+231007 with commit b947dc 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation