14765: Persistent XSS for Menu Entries - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

252

ID	Project	Category	View Status	Date Submitted	Last Update

14765	Bug reports	Security	public	2019-04-10 15:48	2019-04-30 09:13

Reporter	bewi	Assigned To	p_teichmann
Priority	none	Severity	minor
Status	closed	Resolution	fixed
Product Version	3.17.x
Fixed in Version	3.17.x

Summary	14765: Persistent XSS for Menu Entries
Description	fields 'title' and 'link' are not secured and execute HTML code if shown in list
Steps To Reproduce	create a new menu-entry with payload `<script>alert('menu entries->fieldname');</script>` in the fields 'title' and 'link', then change to page in listing, where this entry is shown
Tags	No tags attached.
Attached Files	LimeSurvey - 11 - menu entry.png (50,527 bytes) LimeSurvey - 11 - menu entry.png (50,527 bytes)

Bug heat	252
Complete LimeSurvey version number (& build)	Version 3.17.1+190408
I will donate to the project if issue is resolved	No
Browser	FF
Database type & version	mysql
Server OS (if known)	*
Webserver software & version (if known)	*
PHP Version	7.2

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2019-04-10 15:48	bewi	New Issue
2019-04-10 15:48	bewi	File Added: LimeSurvey - 11 - menu entry.png
2019-04-16 15:26	p_teichmann	Assigned To	=> p_teichmann
2019-04-16 15:26	p_teichmann	Status	new => assigned
2019-04-16 17:18	p_teichmann	Status	assigned => resolved
2019-04-16 17:18	p_teichmann	Resolution	open => fixed
2019-04-16 17:18	p_teichmann	Fixed in Version	=> 3.17.x
2019-04-30 09:13	c_schmitz	Note Added: 51679
2019-04-30 09:13	c_schmitz	Status	resolved => closed

c_schmitz 2019-04-30 09:13 administrator ~51679	Fixed in version 3.17.3