Stored XSS in Your Answer in answerdev/answer

Valid

Reported on

Jan 12th 2023

Description

Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over

Proof of Concept

step1. Insert xss payload in the hyperlink of the question answer

javaScript:alert(localStorage.getItem('_a_lui_'))

image-20230112224631775 image-20230112224728839

step2. Any user can click this answer to trigger xss vulnerability to obtain access_ token image-20230112224807507

Impact

Executing JavaScript in victim's session which leads to potential account takeover, perform actions as that user, ...

Occurrences

By default, goldmark does not render raw HTML or potentially-dangerous URLs. If you need to gain more control over untrusted contents, it is recommended that you use an HTML sanitizer such as bluemonday.

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago
We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago
answerdev/answer maintainer validated this vulnerability 2 months ago
1derian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
1derian
2 months ago

Researcher

能为此分配 CVE

answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c3001d a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability a month ago
markdown.go#L14-L30 has been validated
to join this conversation