- Vulnerability: Persistent XSS
- Affected Software: LimeSurvey
- Affected Version: Version 2.05+ Build 150520 (probably also prior versions)
- Patched Version: Version 2.06+ Build 150618
- Risk: Low-Medium
- Vendor Contacted: 2015-05-27
- Vendor Fix: 2015-06-18
- Public Disclosure: 2015-06-27
Persistent XSS via File Title
The file upload question type has a stored XSS vulnerability:
- Create and activate survey with Question Type “File Upload”
- Take survey, upload any valid file, enter
<script>alert(1)</script>as comment or title. - visit the Display Responses page or the View Response details page, which will execute the injected script.
Persistent XSS as registered User
There exists a setting to disable JavaScript for all non-superadmin users, but there are two places that do allow the injection of scripts, ignoring this setting:
- XSS via Exit Link
- Create a new survey, as “End URL” enter
javascript:alert('test') - Complete the survey and click exit link
- Create a new survey, as “End URL” enter
- XSS via User Group Description
- Create new user group, as “description” enter
</textarea><script>alert(1)</script> - visit
http://localhost/limesurvey/index.php/admin/usergroups/sa/edit/ugid/GROUPID
- Create new user group, as “description” enter
Timeline
- 2015-05-27: Initial Report (no reply)
- 2015-06-14: Requesting Confirmation and Setting Disclose Date
- 2015-06-15: Vendor Confirmation and Fix Announcement
- 2015-06-18: Vendor Released Fix
- 2015-06-27: Disclosed