Stored XSS Bypass While add a new Comment in answerdev/answer


Reported on

Feb 8th 2023


Stored XSS bypass in add comments function if you try to inject XSS payload like <img src=x onerror=alert(1)> that won't work ,So I found a bypass that able to bypass cloudflare with the following payload <img only=1 src=x onerror=alert()> or <img xthemo=1 src=x onerror=alert(1)> and click enter to add newline and click "add comment"

func (cc *CommentController) AddComment(ctx *gin.Context) {
    req := &schema.AddCommentReq{}
    if handler.BindAndCheck(ctx, req) {

    req.UserID = middleware.GetLoginUserIDFromContext(ctx)
    canList, err := cc.rankService.CheckOperationPermissions(ctx, req.UserID, []string{
    if err != nil {
        handler.HandleResponse(ctx, err, nil)
    req.CanAdd = canList[0]
    req.CanEdit = canList[1]
    req.CanDelete = canList[2]
    if !req.CanAdd {
        handler.HandleResponse(ctx, errors.Forbidden(reason.RankFailToMeetTheCondition), nil)

    resp, err := cc.commentService.AddComment(ctx, req)
    handler.HandleResponse(ctx, err, resp)

As you see there is no check on user input that

Proof of Concept


Steal users cookies and accounts

We are processing your report and will contact the answerdev/answer team within 24 hours. a month ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a month ago
joyqi validated this vulnerability 16 days ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 056689 16 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 16 days ago
to join this conversation