Stored DOM-based Cross-site Scripting in Tags Functionality in answerdev/answer
Feb 9th 2023
A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality.
Step 1. Log in.
Step 2. Proceed to create a new question. Populate the Title and Body input.
Step 3. Click on the Add tag button, shown in the following screenshot:
Step 4. Proceed to create a new tag, as seen in the following screenshot:
Step 5. In the 'Create new tag' dialog, the XSS string was added to the 'Description' textarea, as shown in the following screenshot:
Step 6. Click 'Submit' to save the tag, then click 'Post your question' to save the question.
Step 7. On the question details screen, click the new tag, as shown in the following screenshot:
Step 8. The script was executed, shown as follows:
debugger; statement within the XSS payload was used to identify the vulnerable sink, shown as follows:
The sink is located at: https://github.com/answerdev/answer/blob/10b59e0e27c95f3520ac979bdc58ddaedb6aaaa0/ui/src/utils/common.ts#L107.
A lower privileged user may execute script in the context of a higher privileged user such as an administrator, and recover the access token allowing for privilege escalation and access to administrative functionality.