View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
18529Feature requestsSecuritypublic2022-12-05 11:48
ReporterLDBV Assigned To 
Status newResolutionopen 
Summary18529: Security Problem: Unlimited Password reset function in LimeSurvey 3.28

We made a Penetration-Test with our own LimeSurvey V3.28.32 Server.

The result was, that attackers having the necessary information to use the password reset function to trigger the sending of an email can repeat the required request as often as they wish and thus trigger the sending of an email to the target address again each time. This can on the one hand flood the target mailbox with emails and on the other hand create a load on the sending mail server, which slows it down or even overloads it.

To fix this, the number of emails sent should be limited. In addition, the sending of further password reset emails should be prevented as long as the affected user has not yet completed a previous reset process. or this is only a short time ago.


Tagspassword, security
Bug heat250
Story point estimate
Users affected %

Users monitoring this issue

There are no users monitoring this issue.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2022-11-30 11:15 LDBV New Issue
2022-11-30 11:16 LDBV Tag Attached: security
2022-11-30 11:16 LDBV Tag Attached: password
2022-12-05 11:48 ollehar Priority none => high