Multiple stored XSS in answerdev/answer

Valid

Reported on

Jan 24th 2023

Description

Hello! Found multiple stored XSS.

PoCs

"About me" XSS

Insert this code (<image src =q onerror=prompt(1337)>) in "About me" (http://host/users/settings/profile)

Website title XSS

go to /admin/general, edit 'Site Name' adding the following payload <script>alert("XSS ATTACK!")</script>

The script will be executed every time you reload the page.

Answers XSS

[a](javascript:alert(1)) will be sanitized, but [a](JaVaScRiPt:alert(1)) wont. Also <javascript:prompt(document.cookie)>

Post a a comment using the previus payload: [a](JaVaScRiPt:alert(1))

Impact

An attacker could execute JavaScript code in the victim browser, leading to e.g. cookie stealing

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago

Eduardo modified the report

2 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Eduardo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Eduardo

commented 2 months ago

Researcher

Thank you for confirming. Is there anything else I can assist you with at this time?

A answerdev/answer maintainer

commented a month ago

Maintainer

This report is related to two bugs. One of them has been fixed in the current version, and the other will be fixed in the next version. @admin can you help us assign a CVE to this report? And we will make it public in the next release version.

Ben Harvie

commented a month ago

Admin

Hey @maintainer, you have the option to assign a CVE, you will see this option during the fix and publishing stage.

joyqi marked this as fixed in 1.0.5 with commit edc069 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

joyqi published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago

Eduardo modified the report

2 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Eduardo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Eduardo

commented 2 months ago

Researcher

Thank you for confirming. Is there anything else I can assist you with at this time?

A answerdev/answer maintainer

commented a month ago

Maintainer

Ben Harvie

commented a month ago

Admin

Hey @maintainer, you have the option to assign a CVE, you will see this option during the fix and publishing stage.

joyqi marked this as fixed in 1.0.5 with commit edc069 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

joyqi published this vulnerability a month ago

to join this conversation