View Issue Details

This bug affects 1 person(s).
 252
IDProjectCategoryView StatusLast Update
14635Bug reportsSecuritypublic2019-04-02 16:40
ReportermarkusfluerAssigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.16.x 
Fixed in Version3.17.x 
Summary14635: XSS Attack Vector - export_helper.php
Description

SPSS export open to an attack via XSS via the 'noanswervalue' POST parameter.

TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)3.16.0
I will donate to the project if issue is resolvedNo
Browser
Database type & versionirrevelant
Server OS (if known)
Webserver software & version (if known)
PHP Versionirrevelant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2019-03-22 19:06

developer   ~51101

Not only … neither value are encoded …

DenisChenu

DenisChenu

2019-03-25 08:39

developer   ~51115

https://github.com/LimeSurvey/LimeSurvey/commit/4d1f9e0c0e3a9fea3309e2aae4665305b6c44d3e

Issue History

Date Modified Username Field Change
2019-03-12 13:53 markusfluer New Issue
2019-03-22 16:00 DenisChenu View Status public => private
2019-03-22 19:06 DenisChenu Note Added: 51101
2019-03-22 19:07 DenisChenu Assigned To => DenisChenu
2019-03-22 19:07 DenisChenu Status new => assigned
2019-03-25 08:39 DenisChenu Status assigned => resolved
2019-03-25 08:39 DenisChenu Resolution open => fixed
2019-03-25 08:39 DenisChenu Note Added: 51115
2019-03-25 08:39 DenisChenu View Status private => public
2019-03-25 08:41 DenisChenu Fixed in Version => 3.16.x
2019-04-02 16:40 ollehar Status resolved => closed
2019-04-02 16:40 ollehar Fixed in Version 3.16.x => 3.17.x