CarderEmpire
Staff Member
# Vulnerability Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community
# Vendor: LimeSurvey
# Software Link: https://community.limesurvey.org/releases/
# Version: LimeSurvey Community Edition Version 5.3.32+220817
# Tested on: Windows (Client)
# CVE: CVE-2024-24506
## Description:
A critical security flaw has been discovered in LimeSurvey Community Edition
Version 5.3.32+220817, specifically within the "General Setting"
feature's "Administrator email address:" field. This vulnerability allows an
attacker to compromise the super-admin account, potentially resulting in the theft
of cookies and session tokens.
## Background:
Cross-site scripting (XSS) is a prevalent web security vulnerability that
can compromise user interactions with a vulnerable application. Stored XSS
occurs when user input is stored in the application and executed whenever a
user triggers or visits the page.
## Issue:
LimeSurvey fails to adequately validate user input on both the client
and server sides, despite implementing some protective measures. The "Administrator
email address:" field within the "General Setting" feature permits
the insertion of special characters, enabling the injection of malicious
JavaScript payloads. These payloads are stored in the database and executed
when the user saves or reloads the page.
## Steps To Reproduce:
1. Log into the LimeSurvey application.
2. Navigate to the general settings.
3. Insert the following JavaScript payload in the "Administrator email
address:" field:
Payload: `[email protected]"><u>s</u><svg
onload=confirm(document.domain)>`
## Expected Result:
Upon clicking save and reloading the page, the LimeSurvey application should display an alert with the domain.
## Actual Result:
The LimeSurvey application is susceptible to Stored Cross-Site Scripting, as
demonstrated by the successful execution of the injected payload.
# Vendor: LimeSurvey
# Software Link: https://community.limesurvey.org/releases/
# Version: LimeSurvey Community Edition Version 5.3.32+220817
# Tested on: Windows (Client)
# CVE: CVE-2024-24506
## Description:
A critical security flaw has been discovered in LimeSurvey Community Edition
Version 5.3.32+220817, specifically within the "General Setting"
feature's "Administrator email address:" field. This vulnerability allows an
attacker to compromise the super-admin account, potentially resulting in the theft
of cookies and session tokens.
## Background:
Cross-site scripting (XSS) is a prevalent web security vulnerability that
can compromise user interactions with a vulnerable application. Stored XSS
occurs when user input is stored in the application and executed whenever a
user triggers or visits the page.
## Issue:
LimeSurvey fails to adequately validate user input on both the client
and server sides, despite implementing some protective measures. The "Administrator
email address:" field within the "General Setting" feature permits
the insertion of special characters, enabling the injection of malicious
JavaScript payloads. These payloads are stored in the database and executed
when the user saves or reloads the page.
## Steps To Reproduce:
1. Log into the LimeSurvey application.
2. Navigate to the general settings.
3. Insert the following JavaScript payload in the "Administrator email
address:" field:
Payload: `[email protected]"><u>s</u><svg
onload=confirm(document.domain)>`
## Expected Result:
Upon clicking save and reloading the page, the LimeSurvey application should display an alert with the domain.
## Actual Result:
The LimeSurvey application is susceptible to Stored Cross-Site Scripting, as
demonstrated by the successful execution of the injected payload.