View Issue Details

IDProjectCategoryView StatusLast Update
13560Bug reportsSecuritypublic2018-04-10 14:41
Reporterstrukt93 Assigned Tomarkusfluer 
Status closedResolutionfixed 
Fixed in Version3.6.x 
Summary13560: Stored XSS in Boxes

The issue issue exists because the "Destination" parameter is not sanitized before reflecting into the home page when an admin creates a box. Thus, a malicious admin may use that to attacker other admins or users. To reproduce, go to http://HOST/limesurvey/index.php/admin/homepagesettings/sa/create, fill all the input fields and enter "><svg/onload=alert(1)> as the value of the "Destination" field and create the box. Visit the site's home page and an alert box should be there.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.0.0-beta.3+17110
I will donate to the project if issue is resolvedNo
Database & DB-VersionMariaDB
Server OS (if known)Linux/Windows
Webserver software & version (if known)Apache2
PHP Version7.0




2018-04-09 13:49

administrator   ~47371

Fix committed to master branch:;id=26932



2018-04-09 13:51

administrator   ~47372

The boxes are build to be non-js safe. An admin should be able to add js and html into the boxes.
The url should not be scriptable though. That was fixed.



2018-04-09 23:12

reporter   ~47374

Thank you very much, can you make it public so that I can request a CVE and reference this thread ?

Related Changesets

LimeSurvey: master 86a0275d

2018-04-09 13:49:13


Details Diff
Fixed issue 13560: Stored XSS in Boxes Affected Issues
mod - application/models/Boxes.php Diff File

Issue History

Date Modified Username Field Change
2018-04-02 16:56 strukt93 New Issue
2018-04-09 13:49 markusfluer Changeset attached => LimeSurvey master 86a0275d
2018-04-09 13:49 markusfluer Note Added: 47371
2018-04-09 13:49 markusfluer Assigned To => markusfluer
2018-04-09 13:49 markusfluer Resolution open => fixed
2018-04-09 13:51 markusfluer Status new => resolved
2018-04-09 13:51 markusfluer Fixed in Version => 3.6.x
2018-04-09 13:51 markusfluer Note Added: 47372
2018-04-09 23:12 strukt93 Note Added: 47374
2018-04-10 14:41 c_schmitz View Status private => public
2018-04-10 14:41 c_schmitz Status resolved => closed