View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
18974Bug reportsSecuritypublic2023-07-20 17:492023-07-31 12:32
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version6.1.x 
Summary18974: Stored XSS via user's Full Name in limesurvey/limesurvey
Description

" accesskey="X" onclick="alert(document.domain) in user Full name

Steps To Reproduce

Steps to reproduce

Login as a normal user and change the Full name to: " accesskey="X" onclick="alert(document.domain)

Login as a privileged user who can manage users such as an administrator.
Go to user management page and select the corresponding user and click on Delete user.

Press ALT+SHIFT+X on Windows or CTRL+ALT+X on OS X.

Expected result

Nothing shown, (and user name are show encoded)

Actual result

XSS and fuill user name are not shown

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)6.1.8
I will donate to the project if issue is resolvedNo
Browserfirefox
Database type & versionnot releveant
Server OS (if known)not releveant
Webserver software & version (if known)not releveant
PHP Versionnot releveant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2023-07-20 17:49

developer   ~76200

https://huntr.dev/bounties/22fb76b7-ac9f-4d70-b244-5af7b3c8c246/
tibor.pacalat

tibor.pacalat

2023-07-21 11:29

administrator   ~76210

Last edited: 2023-07-21 11:30

I can not reproduce this on current master.
DenisChenu

DenisChenu

2023-07-21 14:08

developer   ~76222

Last edited: 2023-07-21 14:09

I can, in Firefox on Linux with ALT+SHIFT+X

Peek 21-07-2023 14-08.gif (581,989 bytes)
tibor.pacalat

tibor.pacalat

2023-07-21 14:18

administrator   ~76223

Ok, I managed to reproduce this in Firefox. But in Chrome I can't.
DenisChenu

DenisChenu

2023-07-21 17:35

developer   ~76231

Access key are different for each browser : https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey#try_it

master : https://github.com/LimeSurvey/LimeSurvey/pull/3300
5X have same issue : https://github.com/LimeSurvey/LimeSurvey/pull/3301
tibor.pacalat

tibor.pacalat

2023-07-27 17:34

administrator   ~76311

Tested and merged.
DenisChenu

DenisChenu

2023-07-27 17:42

developer   ~76312

Fix committed to 5.x branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=35277
LimeBot

LimeBot

2023-07-31 12:32

administrator   ~76359

Fixed in Release 5.6.32+230731

Related Changesets

LimeSurvey: 5.x 98443411

2023-07-27 17:33:43

DenisChenu


Committer: GitHub Details Diff 		Fixed issue 18974: [security] Stored XSS via user's Full Name (#3301)

Dev: remove unused, unsecure and unescaped value		 Affected Issues
18974
mod - application/controllers/UserManagementController.php Diff File
mod - application/views/userManagement/partial/confirmuserdelete.php Diff File

Issue History

Date Modified Username Field Change
2023-07-20 17:49 DenisChenu New Issue
2023-07-20 17:49 DenisChenu Note Added: 76200
2023-07-20 17:49 DenisChenu Bug heat 250 => 252
2023-07-20 18:08 DenisChenu Assigned To => DenisChenu
2023-07-20 18:08 DenisChenu Status new => assigned
2023-07-21 11:29 tibor.pacalat Note Added: 76210
2023-07-21 11:29 tibor.pacalat Bug heat 252 => 254
2023-07-21 11:30 tibor.pacalat Note Edited: 76210
2023-07-21 14:08 DenisChenu Note Added: 76222
2023-07-21 14:08 DenisChenu File Added: Peek 21-07-2023 14-08.gif
2023-07-21 14:09 DenisChenu Note Edited: 76222
2023-07-21 14:18 tibor.pacalat Note Added: 76223
2023-07-21 17:35 DenisChenu Note Added: 76231
2023-07-21 17:35 DenisChenu Assigned To DenisChenu => gabrieljenik
2023-07-21 17:35 DenisChenu Status assigned => ready for code review
2023-07-24 08:57 DenisChenu Status ready for code review => in code review
2023-07-25 16:38 DenisChenu Assigned To gabrieljenik => tibor.pacalat
2023-07-25 16:38 DenisChenu Status in code review => ready for testing
2023-07-27 17:34 tibor.pacalat Status ready for testing => resolved
2023-07-27 17:34 tibor.pacalat Resolution open => fixed
2023-07-27 17:34 tibor.pacalat Note Added: 76311
2023-07-27 17:42 DenisChenu Changeset attached => LimeSurvey 5.x 98443411
2023-07-27 17:42 DenisChenu Note Added: 76312
2023-07-27 17:42 DenisChenu Assigned To tibor.pacalat => DenisChenu
2023-07-31 12:32 LimeBot Note Added: 76359
2023-07-31 12:32 LimeBot Status resolved => closed
2023-07-31 12:32 LimeBot Bug heat 254 => 256