CVE-2022-29710 - LimeSurvey - XSS with plugin upload in uploadConfirm.php

May 25, 2022   
authenticated cve xss 
Also available in:  🇫🇷 

Summary

A cross-site scripting (XSS) vulnerability in application/views/admin/pluginmanager/uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to include javascript or HTML code in the config.xml file of a plugin.

Affected products and versions

LimeSurvey v5.3.9 and below

Exploitation

To exploit this vulnerability, a remote attacker need to create a malicious plugin that will trigger a XSS in the application/views/admin/pluginmanager/uploadConfirm.php page when installed on the LimeSurvey.

If we upload this plugin with html code embedded inside the config.xml variables, it will be reflected on the application/views/admin/pluginmanager/uploadConfirm.php page without being filtered, as we can see here:

Expected behavior

These values should be filtered with htmlentities before being reflected on the web page, resulting in the following output:

Mitigations

Update LimeSurvey to ...

References