View Issue Details

IDProjectCategoryView StatusLast Update
15141Bug reports[All Projects] Securitypublic2019-08-08 16:42
Reporterma77ieAssigned Tomarkusfluer 
PrioritynoneSeveritymajor 
Status feedbackResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities
Description

Limesurvey uses an out-of-date version of bootstrap.min.js (version 3.3.7) which has security vulnerabilities ( https://www.cvedetails.com/vulnerability-list/vendor_id-19522/product_id-51406/version_id-286029/Getbootstrap-Bootstrap-3.3.7.html ) and should be upgraded to the latest version to fix these vulnerabilities.

Steps To Reproduce

Viewing source of the home page shows the line including bootstrap.min.js:-

<script type="text/javascript" src="/surveys/tmp/assets/bd9506bc/bootstrap.min.js" class="headScriptTag"></script>

The start of bootstrap.min.js itself shows the version number:-

/*!

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33

Activities

markusfluer

markusfluer

2019-08-08 16:41

administrator   ~53152

Since the switch to Bootstrap v4 has a potentially breaking impact on the software, this will not be done for LimeSurvey version 3 or 4, but rather for LimeSurvey version 5, planned for 2020.

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.

Issue History

Date Modified Username Field Change
2019-08-07 14:23 ma77ie New Issue
2019-08-08 16:41 markusfluer Note Added: 53152
2019-08-08 16:42 markusfluer Assigned To => markusfluer
2019-08-08 16:42 markusfluer Status new => feedback