Open Hebing123 opened 2 months ago
CVE-2024-6933
@Hebing123 "NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
Why does the CVE say that? Can you please correct that, as it is not true?
Hello, esteemed @c-schmitz,
Previously, I submitted two security vulnerabilities for Limesurvey (XSS vulnerability and input validation error vulnerability) on Huntr and requested CVE numbers. Although the developers released patches for the vulnerabilities, they did not apply for the CVE numbers, so I added them to my repository (This SQL injection is no exception).
After some time, I discovered that the program for Limesurvey had been closed. Unable to create new issues, I submitted the vulnerabilities through the Vuldb (an officially recognized CNA by CVE) and published an announcement.
As far as I know, according to Vuldb's guidelines, they prioritize contacting the vendor to address the issue. If there is no response, they will make the report public.
I didn't write NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
. The summary of the vulnerabilities was published by Vuldb as a CNA, and I cannot modify it. If you wish to have the NOTE
in the Summary removed, please visit https://vuldb.com/?contact and submit a request.
Several months ago, I was prohibited from submitting vulnerabilities on the Vuldb. Despite multiple inquiries, I received no response and have been unable to contact them.
I am also a loyal fan of Limesurvey. Once again, thank you for your attention to the vulnerabilities I have reported!
LimeSurvey have a clear https://github.com/LimeSurvey/LimeSurvey/blob/master/SECURITY.md , you don't read it.
Yeah, all good. This was still a huntr.dev leftover. Anway, it is resolved. Thank you for your report.
Summary
A critical SQL injection vulnerability has been identified in LimeSurvey version 6.5.14-240624. This vulnerability exists in the
actionUpdateSurveyLocaleSettingsGeneralSettings()
function due to insufficient filtering of thelanguage
parameter. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database.Proof of Concept
As shown in the figure, an error-based injection using xpath
updatexml()
was employed during testing.This request will invoke the vulnerable actionUpdateSurveyLocaleSettingsGeneralSettings() function, allowing the attacker to perform SQL injection. The vulnerability occurs in the "Survey - General Settings" section. An attacker with low-level permissions, such as a user who has the ability to create surveys, can exploit this vulnerability.
Reproduction Steps: Create a new user with survey permissions, and replace the Cookie and YII_CSRF_TOKEN in the PoC.
Impact
This vulnerability allows arbitrary SQL execution through SQL injection, posing a severe threat to server security.