Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting Vulnerability on "textbox" via "Notifications & data" feature in LimeSurvey version 4.2.5. #1441

Closed
wants to merge 68 commits into from

Conversation

tranvannam186
Copy link

Dev: Cross Site Scripting Vulnerability on "textbox" via "Notifications & data" feature in LimeSurvey version 4.2.5.
**Describe the bug
An authenticated malicious user can take advantage of a Reflected XSS vulnerability on "textbox" via "Notifications & data" feature in LimeSurvey version 4.2.5
**To Reproduce
Steps to reproduce the behavior:

  1. Log into the panel.
  2. Go to "/LimeSurvey-master/index.php/admin/survey/sa/rendersidemenulink/subaction/notification/surveyid/147787"
  3. Select "Send basic admin notification email to:" or "Send detailed admin notification email to:"
  4. Insert Payload in "textbox":
    // # "><svg/onload=prompt(/NamTV/)>
  5. Click "save"
    **Expected behavior
    The removal of script tags is not sufficient to prevent an XSS attack.
    You must HTML Entity encode any output that is Reflected back to the page.
    **Impact
    Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
    **Screenshots

ptelu and others added 30 commits June 5, 2020 18:17
@tranvannam186 tranvannam186 changed the title Develop Cross Site Scripting Vulnerability on "textbox" via "Notifications & data" feature in LimeSurvey version 4.2.5. Jun 22, 2020
@Shnoulle
Copy link
Collaborator

Please : report the issue clearly on https://bugs.limesurvey.org/

And when you found security issue : best is to report it before make it public …

@maziminke
Copy link
Collaborator

Luckily just an issue if the attacker already has access to your admin backend.

@Shnoulle
Copy link
Collaborator

Luckily just an issue if the attacker already has access to your admin backend.

Yes (maybe) , but i need to understand if it's with XSS enable user. If yes : i think we must fix it for question->text too :)

@Shnoulle
Copy link
Collaborator

Or : maybe it's just an encode issue // # "><svg/onload=prompt(/NamTV/)> ?

@cfi-gb
Copy link

cfi-gb commented Jul 1, 2021

Seems CVE-2020-23710 has been assigned to this issue recently.

Sorry for pining you @tranvannam186 @Shnoulle @olleharstedt but is there any info / resource available if this got fixed at all (the PR here was closed but probably should have been an issue anyway as i don't see any commit of @tranvannam186) and if so in which release of LimeSurvey?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
9 participants