View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 20435 | Bug reports | Security | public | 2026-02-23 18:18 | 2026-02-23 19:12 |
| Reporter | jarrod.c | Assigned To | |||
| Priority | none | Severity | minor | ||
| Status | new | Resolution | open | ||
| Product Version | 6.6.x | ||||
| Summary | 20435: Web Cache Deception | ||||
| Description | VulnerabilitySurvey is affected by the following vulnerability: https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/web-cache-deception CauseRewrite rule on line 9: https://github.com/LimeSurvey/LimeSurvey/blob/571bab902ed2a7f0de0e2762a14c57341bc94bb3/.htaccess#L9 | ||||
| Steps To Reproduce | Steps to reproduce(Replace this text with detailed step-by-step instructions on how to reproduce the issue) Expected result(Write here what you expected to happen) Actual result(Write here what happened instead) | ||||
| Tags | No tags attached. | ||||
| Bug heat | 260 | ||||
| Complete LimeSurvey version number (& build) | 6.16.7+260205 | ||||
| I will donate to the project if issue is resolved | No | ||||
| Browser | |||||
| Database type & version | Irrelevant | ||||
| Server OS (if known) | |||||
| Webserver software & version (if known) | |||||
| PHP Version | Irrelevant | ||||
|
@jarrod.c Please provide a step by step "how to reproduce". |
|
Expected result: 404 or redirect to the root of the directory or redirect to index.php directly Actual result: responds with 200 and blindly serves index.php |
|
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-02-23 18:18 | jarrod.c | New Issue | |
| 2026-02-23 18:46 | tibor.pacalat | Note Added: 84273 | |
| 2026-02-23 18:46 | tibor.pacalat | Bug heat | 250 => 252 |
| 2026-02-23 19:12 | jarrod.c | Note Added: 84276 | |
| 2026-02-23 19:12 | jarrod.c | Bug heat | 252 => 254 |
| 2026-02-23 19:46 | guest | Bug heat | 254 => 260 |