Stored DOM-based Cross-site Scripting in Tags Functionality in answerdev/answer

Valid

Reported on

Feb 9th 2023

Description

A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality.

Steps

Step 1. Log in.

Step 2. Proceed to create a new question. Populate the Title and Body input.

Step 3. Click on the Add tag button, shown in the following screenshot:

Step 4. Proceed to create a new tag, as seen in the following screenshot:

create-new-tag

Step 5. In the 'Create new tag' dialog, the XSS string was added to the 'Description' textarea, as shown in the following screenshot:

payload

Step 6. Click 'Submit' to save the tag, then click 'Post your question' to save the question.

Step 7. On the question details screen, click the new tag, as shown in the following screenshot:

click-tag

Step 8. The script was executed, shown as follows:

script-executed

A debugger; statement within the XSS payload was used to identify the vulnerable sink, shown as follows:

vuln-sink

The sink is located at: https://github.com/answerdev/answer/blob/10b59e0e27c95f3520ac979bdc58ddaedb6aaaa0/ui/src/utils/common.ts#L107.

Impact

A lower privileged user may execute script in the context of a higher privileged user such as an administrator, and recover the access token allowing for privilege escalation and access to administrative functionality.

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago

joyqi validated this vulnerability 24 days ago

Matt Zajork has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

joyqi marked this as fixed in 1.0.6 with commit 90bfa0 24 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

joyqi published this vulnerability 24 days ago

to join this conversation