View Issue Details

IDProjectCategoryView StatusLast Update
14728Bug reports[All Projects] Securitypublic2019-04-30 09:13
Reporterbewi Assigned ToDenisChenu  
PrioritynoneSeveritymajor 
Status closedResolutionfixed 
Product Version3.17.x 
Target VersionFixed in Version3.17.x 
Summary14728: Persistent XSS for question groups
Description

for survey groups you can insert HTML code in the fields 'title' and 'description' which is shown on the survey list/ survey group list

Steps To Reproduce

LimeSurvey - 07 - update survey group.png
insert the html code

LimeSurvey - 08 - survey list.png
first the code in the title

LimeSurvey - 09 - survey list.png
then the code in the description is executed

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionmysql
Server OS (if known)
Webserver software & version (if known)
PHP Version7.2

Activities

bewi

bewi

2019-04-03 11:23

reporter  

bewi

bewi

2019-04-03 11:41

reporter   ~51298

the code in the field 'title' even get executed in the Frontend if you preview a question of that group



DenisChenu

DenisChenu

2019-04-03 17:01

developer   ~51316

Fixed in https://github.com/LimeSurvey/LimeSurvey/commit/b378cb000966cd47620be22f31a63dfb3e72c4b1
Thanks a lot for tracking all this XSS .

I can not reproduce for LimeSurvey - 10 - survey preview : are you sure it's not another test ?

bewi

bewi

2019-04-04 07:31

reporter   ~51329

Sorry, that "Hu" came from the field "Description" in a "question group" and this ticket is about "survey group" (I made a mistake in the field "summary" of this ticket).
As that field is an RTE field you can, intentionally, insert anything switching to source view in the editor. Which reminds me: because of that not every admin should be allowed to do so. (I will add another ticket)

DenisChenu

DenisChenu

2019-04-04 07:49

developer   ~51330

OK, thanks again.

c_schmitz

c_schmitz

2019-04-30 09:13

administrator   ~51683

Fixed in version 3.17.3

Issue History

Date Modified Username Field Change
2019-04-03 11:23 bewi New Issue
2019-04-03 11:23 bewi File Added: LimeSurvey - 07 - update survey group.png
2019-04-03 11:23 bewi File Added: LimeSurvey - 08 - survey list.png
2019-04-03 11:23 bewi File Added: LimeSurvey - 09 - survey list.png
2019-04-03 11:41 bewi File Added: LimeSurvey - 10 - survey preview.png
2019-04-03 11:41 bewi Note Added: 51298
2019-04-03 17:01 DenisChenu Assigned To => DenisChenu
2019-04-03 17:01 DenisChenu Status new => feedback
2019-04-03 17:01 DenisChenu Note Added: 51316
2019-04-03 17:01 DenisChenu Fixed in Version => 3.17.x
2019-04-04 07:31 bewi Note Added: 51329
2019-04-04 07:31 bewi Status feedback => assigned
2019-04-04 07:49 DenisChenu Status assigned => resolved
2019-04-04 07:49 DenisChenu Resolution open => fixed
2019-04-04 07:49 DenisChenu Note Added: 51330
2019-04-30 09:13 c_schmitz Note Added: 51683
2019-04-30 09:13 c_schmitz Status resolved => closed