View Issue Details

IDProjectCategoryView StatusLast Update
16396Bug reportsSecuritypublic2020-06-22 09:04
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.22.20 
Fixed in Version3.22.20 
Summary16396: Multiple self-stored XSS in printanswers
Description

A lot of other and comments are not encoded when throw to user

Steps To Reproduce

Import included survey
Launch with token TEST
Submit
Print answers : 6 XSS

Additional Information

… …

Concept issue : when updating whole printanswers : nothing was done against XSS.

If we have a test for this : the test was disabled since it was totally different pages
Auto test limit here …

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.22.20
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Activities

DenisChenu

DenisChenu

2020-06-18 16:26

developer  

DenisChenu

DenisChenu

2020-06-18 18:21

developer   ~58341

No way for 4.X

lime_release_bot

lime_release_bot

2020-06-22 09:04

administrator   ~58369

Fixed in Release 3.22.21+200622

Related Changesets

LimeSurvey: 3.x-LTS afcb6572

2020-06-18 18:10:35

DenisChenu

Details Diff
Fixed issue [security] 16396: Multiple self-stored XSS in printanswer
Dev: Add answercode for testing if other (-oth-)
Dev: fix other : single choice and multiple choice
Dev: div fix comments on multiple with comments
Dev: list with comment not fixed (comment are not shown …)
Affected Issues
16396
mod - application/models/SurveyDynamic.php Diff File
mod - themes/survey/vanilla/views/subviews/printanswers/question_types/template_list-dropdown.twig Diff File
mod - themes/survey/vanilla/views/subviews/printanswers/question_types/template_list-radio.twig Diff File
mod - themes/survey/vanilla/views/subviews/printanswers/question_types/template_multiple-opt-comments.twig Diff File
mod - themes/survey/vanilla/views/subviews/printanswers/question_types/template_multiple-opt.twig Diff File

Issue History

Date Modified Username Field Change
2020-06-18 16:26 DenisChenu New Issue
2020-06-18 16:26 DenisChenu Status new => assigned
2020-06-18 16:26 DenisChenu Assigned To => DenisChenu
2020-06-18 16:26 DenisChenu File Added: survey_archive_XSSprintanswers.lsa
2020-06-18 16:26 DenisChenu File Added: Capture d’écran du 2020-06-18 16-20-45.png
2020-06-18 18:18 DenisChenu Issue cloned: 16401
2020-06-18 18:21 DenisChenu Changeset attached => LimeSurvey 3.x-LTS afcb6572
2020-06-18 18:21 DenisChenu Status assigned => resolved
2020-06-18 18:21 DenisChenu Resolution open => fixed
2020-06-18 18:21 DenisChenu Fixed in Version => 3.22.20
2020-06-18 18:21 DenisChenu Note Added: 58341
2020-06-22 09:04 lime_release_bot Note Added: 58369
2020-06-22 09:04 lime_release_bot Status resolved => closed