LimeSurvey Community 5.3.32 – Stored XSS

  • 作者: Subhankar Singh
    日期: 2024-03-25
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51926/
  • # Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community
    Edition Version 5.3.32+220817
    # Exploit Author: Subhankar Singh
    # Date: 2024-02-03
    # Vendor: LimeSurvey
    # Software Link: https://community.limesurvey.org/releases/
    # Version: LimeSurvey Community Edition Version 5.3.32+220817
    # Tested on: Windows (Client)
    # CVE: CVE-2024-24506
    
    ## Description:
    
    A critical security vulnerability exists in LimeSurvey Community Edition
    Version 5.3.32+220817, particularly in the "General Setting"
    functionality's "Administrator email address:" field. This allows an
    attacker to compromise the super-admin account, leading to potential theft
    of cookies and session tokens.
    
    ## Background:
    
    Cross-site scripting (XSS) is a common web security vulnerability that
    compromises user interactions with a vulnerable application. Stored XSS
    occurs when user input is stored in the application and executed whenever a
    user triggers or visits the page.
    
    ## Issue:
    
    LimeSurvey fails to properly validate user-supplied input on both client
    and server sides, despite some protective measures. The "Administrator
    email address:" field within the "General Setting" functionality permits
    the insertion of special characters, enabling the injection of malicious
    JavaScript payloads. These payloads are stored in the database and executed
    when the user saves or reloads the page.
    
    ## Steps To Reproduce:
    
    1. Log into the LimeSurvey application.
    2. Navigate to the general settings.
    3. Insert the following JavaScript payload in the "Administrator email
    address:" field:
    Payload: `abcxyz@gmail.com"><u>s</u><svg
    onload=confirm(document.domain)>`
    
    ## Expected Result:
    
    The LimeSurvey application should display an alert with the domain after
    clicking save and reloading the page.
    
    ## Actual Result:
    
    The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, as
    evidenced by the successful execution of the injected payload.
    
    ## Proof of Concept:
    
    Attached Screenshots for the reference.