View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
20269Bug reportsSecuritypublic2025-09-19 08:402025-09-19 10:30
ReporterMazi Assigned To 
PrioritynoneSeverityblock 
Status newResolutionopen 
Product Version6.6.x 
Summary20269: Cross-site Scripting (XSS) affecting bootstrap-switch package
Description

According to a recent pentest, the bootstrap-switch package (version 3.3.2 located at h.../tmp/assets/e4430015/js/bootstrap-switch.min.js) has an XSS vulnerability.
Source: https://security.snyk.io/package/npm/bootstrap-switch/3.3.2
There is a fix available but that never got added to the next release, see https://github.com/Bttstrp/bootstrap-switch/pull/730
It also seems that the library is not maintained any more since several years: https://github.com/sensyn-robotics/bootstrap-switch

Can we replace/remove this outdated library?

The organisation which ran the pentest has a strict policy. They can only use Limesurvey once old/outdated libraries with security issues have been adjusted.

Steps To Reproduce

Steps to reproduce

Check Limesurvey for vulnerabilities/outdated libraries.

Expected result

In a perfect world everything would be up to date and there would be no issues.

Actual result

Outdated library with vulnerability.

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)6.15.2
I will donate to the project if issue is resolvedNo
Browser
Database type & versionx
Server OS (if known)
Webserver software & version (if known)
PHP Versionx

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2025-09-19 08:41

updater   ~83444

@DenisChenu, any thoughts on how to best deal with this?
DenisChenu

DenisChenu

2025-09-19 09:09

developer   ~83445

Last edited: 2025-09-19 09:10
  1. There are no real issue with LimeSurvey since simple user can not add $('[data-toggle="switch"]').bootstrapSwitch() and admin user can add alert('XSS')
  2. You loose something moveing fro html to text

Globally : i don't understand fixing a JS script where user must set a specific JS . If he can set JS : he can just add XSS how he want.

Still a good idea to move to https://getbootstrap.com/docs/5.0/forms/checks-radios/#switches and remove bootstrapSwitch
Or just use a checkbox … (or dropdown or radio)
Mazi

Mazi

2025-09-19 09:20

updater   ~83446

@DenisChenu: I second this. This is the reason why I hate these automated pentests. They often show issues which are no real use case at all. But if the company has a strict policy, they may not be allowed to use Limesurvey due to such questionable findings.
DenisChenu

DenisChenu

2025-09-19 09:37

developer   ~83447

Last edited: 2025-09-19 09:37

My real opinion :

Or just use a checkbox … (or dropdown or radio)

Simple and clean, 1. No need JS, 2. A11Y proof, 3. Stability proof,

There are 4. Can use helper of browser, 5. Can use specific theme by user choice, except we force some update here (not always a good idea)
Mazi

Mazi

2025-09-19 10:26

updater   ~83450

Bootstrap 5/6 supports .form-switch which should be a possible alternative to get rid of this library.
https://getbootstrap.com/docs/5.3/forms/checks-radios/#switches
DenisChenu

DenisChenu

2025-09-19 10:30

developer   ~83451

Or just a checkbox ;)

Issue History

Date Modified Username Field Change
2025-09-19 08:40 Mazi New Issue
2025-09-19 08:41 Mazi Note Added: 83444
2025-09-19 08:41 Mazi Bug heat 250 => 252
2025-09-19 09:09 DenisChenu Note Added: 83445
2025-09-19 09:09 DenisChenu Bug heat 252 => 254
2025-09-19 09:09 DenisChenu Note Edited: 83445
2025-09-19 09:10 DenisChenu Note Edited: 83445
2025-09-19 09:20 Mazi Note Added: 83446
2025-09-19 09:37 DenisChenu Note Added: 83447
2025-09-19 09:37 DenisChenu Note Edited: 83447
2025-09-19 10:26 Mazi Note Added: 83450
2025-09-19 10:30 DenisChenu Note Added: 83451