@DenisChenu, where you able to reproduce it? Saw also this one: [15222]

thank you cdorin & Denis
ps: little error in my description, I've upgraded 3.17.13 -> 3.17.15 (so maybe the error was present on 3.17.14 as mentioned in [15222]

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29089

@cdorin : yes, child of security issue with multiple params …
Still bad to have multiple params, but need only to fill user param : fixed, but the issue with sa VS subaction VS sSubAction still there.

subaction and sSubAction come from code … not from user param here …

@Denis: a really big thanks! in the meanwhile, I've downgraded to 3.17.13 ... seems to work but I'll try your fix

The version before 3.17.14 have a « reflected XSS vulnerabilities» in surveyid param …

@fradeff : if you manually apply the fix : https://github.com/LimeSurvey/LimeSurvey/commit/de7707d700d1304110eca1e12fd22b3aa1d011b7

I found an issue in quota too, but i didn't test ALL action …

Thanks for the correction ! I had the problem this morning, just after the update from 3.17.10 ->3.17.15 and it's a real problem in my company.
Do you know when the error will be available in comfort updates ?

@Aurore, tomorrow morning we will create a new minor release (the latest). We are sorry for the caused inconveniences.

Thank you @DenisChenu for the quick fix!

Thanks for your answer @cdorin and @DenisChenu for fixing this issue !

Warning , if you need to fix quickly the issue,
This https://github.com/LimeSurvey/LimeSurvey/commit/e13cbeb7d06362b4885bbff549ec3cce53707654
must be done too (for quota editing and maybe some other place).

I introduce the issue here : https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006

Fixed in Release 3.17.16+190906