Complex xss to bypass protection in answerdev/answer
Feb 8th 2023
1.First we login as a normal user, and then comment under a question, the content of the comment is
<img src=x onerror=alert(document.domain)>
2.Then we login as an administrator user. And find the comment we just submitted, the administrator can click the edit button.Then the administrator Click "Save edits" without any modification.
3.Finally the comment will trigger xss.
We are processing your report and will contact the answerdev/answer team within 24 hours. a month ago
The researcher's credibility has increased: +7
to join this conversation