14728: Persistent XSS for question groups - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

14728	Bug reports	Security	public	2019-04-03 11:23	2019-04-30 09:13

Reporter	bewi	Assigned To	DenisChenu
Priority	none	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.17.x
Fixed in Version	3.17.x

Summary	14728: Persistent XSS for question groups
Description	for survey groups you can insert HTML code in the fields 'title' and 'description' which is shown on the survey list/ survey group list
Steps To Reproduce	LimeSurvey - 07 - update survey group.png insert the html code LimeSurvey - 08 - survey list.png first the code in the title LimeSurvey - 09 - survey list.png then the code in the description is executed
Tags	No tags attached.
Attached Files	LimeSurvey - 07 - update survey group.png (26,713 bytes) LimeSurvey - 07 - update survey group.png (26,713 bytes) LimeSurvey - 08 - survey list.png (42,019 bytes) LimeSurvey - 08 - survey list.png (42,019 bytes) LimeSurvey - 09 - survey list.png (39,012 bytes) LimeSurvey - 09 - survey list.png (39,012 bytes)

Bug heat	256
Complete LimeSurvey version number (& build)	3.17.0
I will donate to the project if issue is resolved	No
Browser
Database type & version	mysql
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.2

User List	There are no users monitoring this issue.

bewi 2019-04-03 11:41 reporter ~51298	the code in the field 'title' even get executed in the Frontend if you preview a question of that group LimeSurvey - 10 - survey preview.png (24,029 bytes) LimeSurvey - 10 - survey preview.png (24,029 bytes)

DenisChenu 2019-04-03 17:01 developer ~51316	Fixed in https://github.com/LimeSurvey/LimeSurvey/commit/b378cb000966cd47620be22f31a63dfb3e72c4b1 Thanks a lot for tracking all this XSS . I can not reproduce for LimeSurvey - 10 - survey preview : are you sure it's not another test ?

bewi 2019-04-04 07:31 reporter ~51329	Sorry, that "Hu" came from the field "Description" in a "question group" and this ticket is about "survey group" (I made a mistake in the field "summary" of this ticket). As that field is an RTE field you can, intentionally, insert anything switching to source view in the editor. Which reminds me: because of that not every admin should be allowed to do so. (I will add another ticket)

DenisChenu 2019-04-04 07:49 developer ~51330	OK, thanks again.

c_schmitz 2019-04-30 09:13 administrator ~51683	Fixed in version 3.17.3

Date Modified	Username	Field	Change
2019-04-03 11:23	bewi	New Issue
2019-04-03 11:23	bewi	File Added: LimeSurvey - 07 - update survey group.png
2019-04-03 11:23	bewi	File Added: LimeSurvey - 08 - survey list.png
2019-04-03 11:23	bewi	File Added: LimeSurvey - 09 - survey list.png
2019-04-03 11:41	bewi	File Added: LimeSurvey - 10 - survey preview.png
2019-04-03 11:41	bewi	Note Added: 51298
2019-04-03 17:01	DenisChenu	Assigned To	=> DenisChenu
2019-04-03 17:01	DenisChenu	Status	new => feedback
2019-04-03 17:01	DenisChenu	Note Added: 51316
2019-04-03 17:01	DenisChenu	Fixed in Version	=> 3.17.x
2019-04-04 07:31	bewi	Note Added: 51329
2019-04-04 07:31	bewi	Status	feedback => assigned
2019-04-04 07:49	DenisChenu	Status	assigned => resolved
2019-04-04 07:49	DenisChenu	Resolution	open => fixed
2019-04-04 07:49	DenisChenu	Note Added: 51330
2019-04-30 09:13	c_schmitz	Note Added: 51683
2019-04-30 09:13	c_schmitz	Status	resolved => closed