View Issue Details

IDProjectCategoryView StatusLast Update
15141Bug reports[All Projects] Securitypublic2019-08-19 10:17
Reporterma77ie Assigned Tomarkusfluer  
Status feedbackResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities

Limesurvey uses an out-of-date version of bootstrap.min.js (version 3.3.7) which has security vulnerabilities ( ) and should be upgraded to the latest version to fix these vulnerabilities.

Steps To Reproduce

Viewing source of the home page shows the line including bootstrap.min.js:-

<script type="text/javascript" src="/surveys/tmp/assets/bd9506bc/bootstrap.min.js" class="headScriptTag"></script>

The start of bootstrap.min.js itself shows the version number:-


TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Database & DB-VersionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33




2019-08-08 16:41

administrator   ~53152

Since the switch to Bootstrap v4 has a potentially breaking impact on the software, this will not be done for LimeSurvey version 3 or 4, but rather for LimeSurvey version 5, planned for 2020.

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.



2019-08-19 10:13

developer   ~53190

@markusfluer :
Have the fix, the update can be done without broke BS compatibility

Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer

Issue History

Date Modified Username Field Change
2019-08-07 14:23 ma77ie New Issue
2019-08-08 16:41 markusfluer Note Added: 53152
2019-08-08 16:42 markusfluer Assigned To => markusfluer
2019-08-08 16:42 markusfluer Status new => feedback
2019-08-19 10:13 DenisChenu Note Added: 53190