View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
20390Bug reportsSecuritypublic2025-12-18 18:452025-12-19 18:00
Reporterjarrod.c Assigned Totibor.pacalat  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version6.6.x 
Summary20390: Phishing by Navigating Browser Tabs
Description

Vulnerability

Survey is affected by the following vulnerability: CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
https://cwe.mitre.org/data/definitions/1022.html

Example

div
class=" " >
<div class="row">
<div class="col-6 col-md-12">
<a href="https://www.limesurvey.org" target="_blank" >
<img class="img-fluid" src="/tmp/assets/8bf0a8ca/poweredby.png" alt="Proudly powered by LimeSurvey"
/>
</a>
</div>
<div class="col-12 d-block d-sm-none d-md-block text-center">
<a href="https://www.limesurvey.org" target="_blank" class="text-decoration-underline">
The Online Survey Tool
</a>
- Free & Open Source
</div>
<div class="col-6 d-none d-sm-block d-md-none text-center">
<a href="https://www.limesurvey.org" target="_blank" >
Online Surveytool
</a>
</div>
</div>

Remedy

  • Add rel=noopener to the links to prevent pages from abusing window.opener. This ensures that the page cannot access
    the window.opener property in Chrome and Opera browsers.
  • For older browsers and in Firefox, you can add rel=noreferrer which additionally disables the Referer header.
Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)6.16.2+251209
I will donate to the project if issue is resolvedNo
Browser
Database type & versionIrrelevant
Server OS (if known)
Webserver software & version (if known)
PHP VersionIrrelevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

jarrod.c

jarrod.c

2025-12-18 19:19

reporter   ~84041

While reviewing the source code, I found that the href target="_blank" attribute is used 102 times.
DenisChenu

DenisChenu

2025-12-19 08:45

developer   ~84042

Unsure www.limesurvey.org is an untrusted target?
DenisChenu

DenisChenu

2025-12-19 08:46

developer   ~84043

I didn't set as private since it's included in core and not a way to add such link by simple user of limesurvey instance.
jarrod.c

jarrod.c

2025-12-19 18:00

reporter   ~84047

Correct, I should have used a different example URL.

Understood, so an attacker's URL would need to be approved and merged.

Issue History

Date Modified Username Field Change
2025-12-18 18:45 jarrod.c New Issue
2025-12-18 19:19 jarrod.c Note Added: 84041
2025-12-18 19:19 jarrod.c Bug heat 250 => 252
2025-12-19 08:45 DenisChenu Note Added: 84042
2025-12-19 08:45 DenisChenu Bug heat 252 => 254
2025-12-19 08:45 DenisChenu Assigned To => tibor.pacalat
2025-12-19 08:45 DenisChenu Status new => assigned
2025-12-19 08:46 DenisChenu Status assigned => feedback
2025-12-19 08:46 DenisChenu Note Added: 84043
2025-12-19 18:00 jarrod.c Note Added: 84047
2025-12-19 18:00 jarrod.c Status feedback => assigned