CVE-2022-29710 - LimeSurvey - XSS with plugin upload in uploadConfirm.php

May 25, 2022

authenticated cve xss

Also available in: 🇬🇧

Titre : LimeSurvey - XSS with plugin upload in uploadConfirm.php
Auteur : @podalirius_
CVSS : 7.5 (High)
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

A cross-site scripting (XSS) vulnerability in application/views/admin/pluginmanager/uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to include javascript or HTML code in the config.xml file of a plugin.

Affected products and versions

LimeSurvey v5.3.9 and below

Exploitation

To exploit this vulnerability, a remote attacker need to create a malicious plugin that will trigger a XSS in the application/views/admin/pluginmanager/uploadConfirm.php page when installed on the LimeSurvey.

If we upload this plugin with html code embedded inside the config.xml variables, it will be reflected on the application/views/admin/pluginmanager/uploadConfirm.php page without being filtered, as we can see here:

Expected behavior

These values should be filtered with htmlentities before being reflected on the web page, resulting in the following output:

Mitigations

Update LimeSurvey to ...

References

https://github.com/LimeSurvey/LimeSurvey