View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
13560Bug reportsSecuritypublic2018-04-02 16:562018-04-10 14:41
Reporterstrukt93 Assigned Tomarkusfluer 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Fixed in Version3.6.x 
Summary13560: Stored XSS in Boxes
Description

The issue issue exists because the "Destination" parameter is not sanitized before reflecting into the home page when an admin creates a box. Thus, a malicious admin may use that to attacker other admins or users. To reproduce, go to http://HOST/limesurvey/index.php/admin/homepagesettings/sa/create, fill all the input fields and enter "><svg/onload=alert(1)> as the value of the "Destination" field and create the box. Visit the site's home page and an alert box should be there.

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)3.0.0-beta.3+17110
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMariaDB
Server OS (if known)Linux/Windows
Webserver software & version (if known)Apache2
PHP Version7.0

Users monitoring this issue

There are no users monitoring this issue.

Activities

markusfluer

markusfluer

2018-04-09 13:49

administrator   ~47371

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=26932
markusfluer

markusfluer

2018-04-09 13:51

administrator   ~47372

The boxes are build to be non-js safe. An admin should be able to add js and html into the boxes.
The url should not be scriptable though. That was fixed.
strukt93

strukt93

2018-04-09 23:12

reporter   ~47374

Thank you very much, can you make it public so that I can request a CVE and reference this thread ?

Related Changesets

LimeSurvey: master 86a0275d

2018-04-09 15:49

markusfluer


Details Diff		 Fixed issue 13560: Stored XSS in Boxes Affected Issues
13560
mod - application/models/Boxes.php Diff File

Issue History

Date Modified Username Field Change
2018-04-02 16:56 strukt93 New Issue
2018-04-09 13:49 markusfluer Changeset attached => LimeSurvey master 86a0275d
2018-04-09 13:49 markusfluer Note Added: 47371
2018-04-09 13:49 markusfluer Assigned To => markusfluer
2018-04-09 13:49 markusfluer Resolution open => fixed
2018-04-09 13:51 markusfluer Status new => resolved
2018-04-09 13:51 markusfluer Fixed in Version => 3.6.x
2018-04-09 13:51 markusfluer Note Added: 47372
2018-04-09 23:12 strukt93 Note Added: 47374
2018-04-10 14:41 c_schmitz View Status private => public
2018-04-10 14:41 c_schmitz Status resolved => closed