Describe the bug
An authenticated malicious user can take advantage of a Reflected XSS vulnerability on "textbox" via "Notifications & data" feature in LimeSurvey version 4.2.5
To Reproduce
Steps to reproduce the behavior:
1. Log into the panel.
2. Go to "/webtareas/administration/mycompany.php"
3. Select "name:"
4. Insert Payload in "textbox":
"><script>alert(1)</script>
5. Click "save"
Expected behavior
The removal of script tags is not sufficient to prevent an XSS attack.
You must HTML Entity encode any output that is Reflected back to the page.
Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
Screenshots
To be honest .... this program vulnerable to XSS everywhere.
I think so :D :D
If you're new and looking for CVE like me. this is the right place.
I'm here to look for CVEs boost my resume so it look nicer.
But don't focus much on XSS, look for RCE.
Like one of my ticket #40 file upload shtml trigger the file
Last edit: AppleBois 2020-06-24
yes, i is new member,
I hope there will be cve
I'm *
There might be a chance that CVE will assigned you a CVE ID, but all might 'under' my Multiple XSS category. However you may try
Did you send the request?
Can you share me some experience about searching RCE?
Do you join the bug crowd?
I did, but been a week no response, maybe the other product's vendor not reponse to CVE so they can't issue CVE ID , i guess.
I'm not a bug crowd fans.
I focusing my degree right now.
Whether the vendor accepts the error or not is not related to cve id issue. I submitted some unrecognized bugs but still have one cve. : D: D
Last time i get 6 disputed CVE because vendor disagree .....
well
HAHA.
So you requested CVE ID ?
Did CVE Mitre response to you ?
Follow your steps, I can't reproduce the issue.
Did you install 'webTareas v2.1' or 'webTareasv2.1p1' ?
i use webTareas v2.1.
https://anh.im/image/lGq
you can see image are webTareas v2.1.
webTareas v2.1 p3 released