Multiple stored XSS in answerdev/answer


Reported on

Jan 24th 2023


Hello! Found multiple stored XSS.


"About me" XSS

Insert this code (<image src =q onerror=prompt(1337)>) in "About me" (http://host/users/settings/profile)

Website title XSS

go to /admin/general, edit 'Site Name' adding the following payload <script>alert("XSS ATTACK!")</script>

The script will be executed every time you reload the page.

Answers XSS

[a](javascript:alert(1)) will be sanitized, but [a](JaVaScRiPt:alert(1)) wont. Also <javascript:prompt(document.cookie)>

Post a a comment using the previus payload: [a](JaVaScRiPt:alert(1)) 


An attacker could execute JavaScript code in the victim browser, leading to e.g. cookie stealing

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
Eduardo modified the report
2 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago
answerdev/answer maintainer validated this vulnerability 2 months ago
Eduardo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


Thank you for confirming. Is there anything else I can assist you with at this time?

answerdev/answer maintainer
a month ago


This report is related to two bugs. One of them has been fixed in the current version, and the other will be fixed in the next version. @admin can you help us assign a CVE to this report? And we will make it public in the next release version.

Ben Harvie
a month ago


Hey @maintainer, you have the option to assign a CVE, you will see this option during the fix and publishing stage.

joyqi marked this as fixed in 1.0.5 with commit edc069 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability a month ago
to join this conversation