View Issue Details

IDProjectCategoryView StatusLast Update
15141Bug reportsSecuritypublic2020-05-11 08:40
Reporterma77ie Assigned Tocdorin  
Status newResolutionopen 
Product Version3.17.x 
Summary15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities

Limesurvey uses an out-of-date version of bootstrap.min.js (version 3.3.7) which has security vulnerabilities ( ) and should be upgraded to the latest version to fix these vulnerabilities.

Steps To Reproduce

Viewing source of the home page shows the line including bootstrap.min.js:-

<script type="text/javascript" src="/surveys/tmp/assets/bd9506bc/bootstrap.min.js" class="headScriptTag"></script>

The start of bootstrap.min.js itself shows the version number:-


TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Database & DB-VersionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33




2019-08-08 16:41

administrator   ~53152

Since the switch to Bootstrap v4 has a potentially breaking impact on the software, this will not be done for LimeSurvey version 3 or 4, but rather for LimeSurvey version 5, planned for 2020.

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.



2019-08-19 10:13

developer   ~53190

@markusfluer :
Have the fix, the update can be done without broke BS compatibility

Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer



2020-05-11 08:40

developer   ~57648

Markus quit mantis

Issue History

Date Modified Username Field Change
2019-08-07 14:23 ma77ie New Issue
2019-08-08 16:41 markusfluer Note Added: 53152
2019-08-08 16:42 markusfluer Assigned To => markusfluer
2019-08-08 16:42 markusfluer Status new => feedback
2019-08-19 10:13 DenisChenu Note Added: 53190
2020-05-11 08:40 DenisChenu Assigned To markusfluer => cdorin
2020-05-11 08:40 DenisChenu Status feedback => new
2020-05-11 08:40 DenisChenu Note Added: 57648