LimeSurvey Community 5.3.32 Cross Site Scripting

# Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey CommunityEdition Version 5.3.32+220817# Exploit Author: Subhankar Singh# Date: 2024-02-03# Vendor: LimeSurvey# Software Link: https://community.limesurvey.org/releases/# Version: LimeSurvey Community Edition Version 5.3.32+220817# Tested on: Windows (Client)# CVE: CVE-2024-24506## Description:A critical security vulnerability exists in LimeSurvey Community EditionVersion 5.3.32+220817, particularly in the "General Setting"functionality's "Administrator email address:" field. This allows anattacker to compromise the super-admin account, leading to potential theftof cookies and session tokens.## Background:Cross-site scripting (XSS) is a common web security vulnerability thatcompromises user interactions with a vulnerable application. Stored XSSoccurs when user input is stored in the application and executed whenever auser triggers or visits the page.## Issue:LimeSurvey fails to properly validate user-supplied input on both clientand server sides, despite some protective measures. The "Administratoremail address:" field within the "General Setting" functionality permitsthe insertion of special characters, enabling the injection of maliciousJavaScript payloads. These payloads are stored in the database and executedwhen the user saves or reloads the page.## Steps To Reproduce:1. Log into the LimeSurvey application.2. Navigate to the general settings.3. Insert the following JavaScript payload in the "Administrator emailaddress:" field:Payload: `[email protected]"><u>s</u><svgonload=confirm(document.domain)>`## Expected Result:The LimeSurvey application should display an alert with the domain afterclicking save and reloading the page.## Actual Result:The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, asevidenced by the successful execution of the injected payload.## Proof of Concept:Attached Screenshots for the reference.