View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
14713 | Bug reports | Security | public | 2019-04-02 08:27 | 2019-04-02 16:43 |
Reporter | bewi | Assigned To | DenisChenu | ||
Priority | none | Severity | partial_block | ||
Status | closed | Resolution | fixed | ||
Product Version | 3.16.x | ||||
Fixed in Version | 3.17.x | ||||
Summary | 14713: Persistent XSS in user group management | ||||
Description | It is possible to permanently store malware in the application and an admin with low privileges can infect a SuperAdmin. Any user or admin who can create a new user group or who can edit a user group can infiltrate malicious code in the "Description" input field. | ||||
Steps To Reproduce | see screenshots: Limesurvey - 02 - user group list.png Limesurvey - 03 - user group list.png | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 254 | ||||
Complete LimeSurvey version number (& build) | Version 3.16.1+190314 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | firefox | ||||
Database type & version | irrelevant | ||||
Server OS (if known) | irrelevant | ||||
Webserver software & version (if known) | irrelevant | ||||
PHP Version | irrelevant | ||||
Thanks for reporting |
|
https://github.com/LimeSurvey/LimeSurvey/commit/cb81914c361f4cb070b217282522f51fed4dc8be |
|
the group name seems to be OK. so the field is much shorter the payload would be very short. you might need an general approach to show all fields in a safe way (we had a pen-test two years ago, and there also was an XSS error). |
|
Here this part use a own function, only used for it … don't understand why since Yii have all We have :
|
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-04-02 08:27 | bewi | New Issue | |
2019-04-02 08:27 | bewi | File Added: LimeSurvey - 01 - editing user group.png | |
2019-04-02 08:27 | bewi | File Added: LimeSurvey - 02 - user group list.png | |
2019-04-02 08:27 | bewi | File Added: LimeSurvey - 03 - user group list.png | |
2019-04-02 09:18 | DenisChenu | Assigned To | => DenisChenu |
2019-04-02 09:18 | DenisChenu | Status | new => assigned |
2019-04-02 09:18 | DenisChenu | View Status | public => private |
2019-04-02 09:19 | DenisChenu | Note Added: 51264 | |
2019-04-02 09:54 | DenisChenu | Summary | Persistent XSS => Persistent XSS in user group management |
2019-04-02 10:15 | DenisChenu | Status | assigned => resolved |
2019-04-02 10:15 | DenisChenu | Resolution | open => fixed |
2019-04-02 10:15 | DenisChenu | Fixed in Version | => 3.16.x |
2019-04-02 10:15 | DenisChenu | Note Added: 51266 | |
2019-04-02 10:15 | DenisChenu | View Status | private => public |
2019-04-02 10:18 | bewi | Note Added: 51267 | |
2019-04-02 10:30 | DenisChenu | Note Added: 51268 | |
2019-04-02 16:43 | ollehar | Status | resolved => closed |
2019-04-02 16:43 | ollehar | Fixed in Version | 3.16.x => 3.17.x |