Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-16173: Fixed issue: [security] #15204: Reflected XSS vulnerabilities - thank… · LimeSurvey/LimeSurvey@f1c1ad2

LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,

CVE
Open in Source
#xss#vulnerability#php#auth

@@ -106,8 +106,7 @@ private function _addPseudoParams($params)

‘id’ => 'iId’,

‘gid’ => 'iGroupId’,

‘qid’ => 'iQuestionId’,

/* Unsure we set 'iSurveyId’, ‘iSurveyID’,’surveyid’ to same final survey id */

/* priority is surveyid,surveyId,sid : surveyId=1&sid=2 set sid surveyid to 1 */

/* priority is surveyid,surveyId,sid : surveyId=1&sid=2 set iSurveyId to 1 */

‘sid’ => array('iSurveyId’, 'iSurveyID’, ‘surveyid’), // Old link use sid

‘surveyId’ => array('iSurveyId’, 'iSurveyID’, ‘surveyid’), // PluginHelper->sidebody : if disable surveyId usage : broke API

‘surveyid’ => array('iSurveyId’, 'iSurveyID’, ‘surveyid’),

@@ -128,13 +127,16 @@ private function _addPseudoParams($params)

// Foreach pseudo, take the key, if it exists,

// Populate the values (taken as an array) as keys in params

// with that key’s value in the params

// (only if that place is empty)

// Chek is 2 params are equal for security issue.

This comment has been minimized.

Sign in to view

Copy link

****olleharstedt** Sep 17, 2019**

Contributor

"Check if"?

This comment has been minimized.

Sign in to view

Copy link

****Shnoulle** Sep 17, 2019**

Author Collaborator

Yep, but code (and coment) are updated :

  • de7707d#diff-2f82f7fcad37bdcd926a551452f86cad : use Yii::app()->getRequest()->getParam($key) : OK , we really need to check only user params.
  • e13cbeb#diff-2f82f7fcad37bdcd926a551452f86cad : … needed but not really OK in my opinion. Issue with $params[‘subaction’] here … I don’t know where the other subaction come …

foreach ($pseudos as $key => $pseudo) {

if (isset($params[$key])) {

$pseudo = (array) $pseudo;

foreach ($pseudo as $pseud) {

if (empty($params[$pseud])) {

$params[$pseud] = $params[$key];

} elseif($params[$pseud] != $params[$key]){

// Throw error about multiple params (and if they are different) #15204

throw new CHttpException(403, sprintf(gT("Invalid parameter %s (%s already set)"),$pseud,$key));

}

}

}

@@ -286,7 +288,6 @@ private function renderCentralContents($sAction, $aViewUrls, $aData = [])

// Output

case ‘output’ :

//// TODO : http://goo.gl/ABl5t5

$content .= $viewUrl;

if (isset($aViewUrls[‘afteroutput’])) {

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE