CVE-2022-29710 - LimeSurvey - XSS with plugin upload in uploadConfirm.php
- Title : LimeSurvey - XSS with plugin upload in uploadConfirm.php
- Author : @podalirius_
- CVSS : 7.5 (High)
- CVSS Vector :
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A cross-site scripting (XSS) vulnerability in application/views/admin/pluginmanager/uploadConfirm.php
of LimeSurvey v5.3.9 and below allows attackers to include javascript or HTML code in the config.xml file of a plugin.
Affected products and versions
LimeSurvey v5.3.9 and below
Exploitation
To exploit this vulnerability, a remote attacker need to create a malicious plugin that will trigger a XSS in the application/views/admin/pluginmanager/uploadConfirm.php
page when installed on the LimeSurvey.
If we upload this plugin with html code embedded inside the config.xml
variables, it will be reflected on the application/views/admin/pluginmanager/uploadConfirm.php
page without being filtered, as we can see here:
Expected behavior
These values should be filtered with htmlentities before being reflected on the web page, resulting in the following output:
Mitigations
Update LimeSurvey to …