Stored DOM-based Cross-site Scripting in Tags Functionality in answerdev/answer


Reported on

Feb 9th 2023


A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality.


Step 1. Log in.

Step 2. Proceed to create a new question. Populate the Title and Body input.

Step 3. Click on the Add tag button, shown in the following screenshot:


Step 4. Proceed to create a new tag, as seen in the following screenshot:


Step 5. In the 'Create new tag' dialog, the XSS string was added to the 'Description' textarea, as shown in the following screenshot:


Step 6. Click 'Submit' to save the tag, then click 'Post your question' to save the question.

Step 7. On the question details screen, click the new tag, as shown in the following screenshot:


Step 8. The script was executed, shown as follows:


A debugger; statement within the XSS payload was used to identify the vulnerable sink, shown as follows:


The sink is located at:


A lower privileged user may execute script in the context of a higher privileged user such as an administrator, and recover the access token allowing for privilege escalation and access to administrative functionality.

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago
joyqi validated this vulnerability 24 days ago
Matt Zajork has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 90bfa0 24 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 24 days ago
to join this conversation