View Issue Details

This bug affects 2 person(s).
IDProjectCategoryView StatusLast Update
19492Bug reportsSecuritypublic2024-03-21 15:40
ReporterLDBV Assigned To 
Status newResolutionopen 
Product Version6.4.x 
Summary19492: Different minimum password requirements inside and outside of LimeSurvey


we had a Pen-Test for our LimeSurvey V6 Server. The testers have found several critical security problems (we open different bug report tickets).

When you have forgotten your password and ask LimeSurvey for an new password, you get an mail with a link to change your password.

This password change link has different minimal password requirements (min 8 characters, min.1 number, min. 1 capital letter) compared to the password change function inside of LimeSurvey (our stricter settings are min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character).

Dr. Minke (Survey-Consulting) told us, that there is no way to change the settings (min 8 characters, min.1 number, min. 1 capital letter) of the "external" password change screen.

The "external" password change screen should
a) preferably use the same settings as the "internal" password change screen (which we admins can change) (prefered)
b) otherwise enable the admins to change the minimal password settings of the "external" password change screen.

Thank you.

Steps To Reproduce

In the LogIn screen you click on "Forgot password?".

The "external" password change screen opens and only wants the password to have min 8 characters, min.1 number, min. 1 capital letter. Our stricter specified minimum password settings are ignored (min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character).

The "internal" password change screen of LimeSurvey V6 (username - account - change password) correctly uses our stricter specified minimum password settings.

Both password change screens should use the same admin user specified password settings.

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)both 6.4.6+240212 and 6.5.0+240319
I will donate to the project if issue is resolvedNo
BrowserRegardless of the browser
Database type & versionMySQL 8.0.36
Server OS (if known)SLES 15.5
Webserver software & version (if known)Apache 2.4.51
PHP VersionPHP 8.0.30

Users monitoring this issue

There are no users monitoring this issue.




2024-03-21 15:40

updater   ~79822

Last edited: 2024-03-21 15:40

@DenisChenu, are you aware of a special setting for password strength at "Forgot PW" function?

Issue History

Date Modified Username Field Change
2024-03-21 13:25 LDBV New Issue
2024-03-21 15:40 guest Bug heat 250 => 256
2024-03-21 15:40 Mazi Note Added: 79822
2024-03-21 15:40 Mazi Bug heat 256 => 258
2024-03-21 15:40 Mazi Note Edited: 79822