• Vulnerability: Persistent XSS
  • Affected Software: LimeSurvey
  • Affected Version: Version 2.05+ Build 150520 (probably also prior versions)
  • Patched Version: Version 2.06+ Build 150618
  • Risk: Low-Medium
  • Vendor Contacted: 2015-05-27
  • Vendor Fix: 2015-06-18
  • Public Disclosure: 2015-06-27

Persistent XSS via File Title

The file upload question type has a stored XSS vulnerability:

  1. Create and activate survey with Question Type “File Upload”
  2. Take survey, upload any valid file, enter <script>alert(1)</script> as comment or title.
  3. visit the Display Responses page or the View Response details page, which will execute the injected script.

Persistent XSS as registered User

There exists a setting to disable JavaScript for all non-superadmin users, but there are two places that do allow the injection of scripts, ignoring this setting:

  • XSS via Exit Link
    1. Create a new survey, as “End URL” enter javascript:alert('test')
    2. Complete the survey and click exit link
  • XSS via User Group Description
    1. Create new user group, as “description” enter </textarea><script>alert(1)</script>
    2. visit http://localhost/limesurvey/index.php/admin/usergroups/sa/edit/ugid/GROUPID

Timeline

  • 2015-05-27: Initial Report (no reply)
  • 2015-06-14: Requesting Confirmation and Setting Disclose Date
  • 2015-06-15: Vendor Confirmation and Fix Announcement
  • 2015-06-18: Vendor Released Fix
  • 2015-06-27: Disclosed