XSS via markdown syntax in leobbs/leobbs


Reported on

Jan 10th 2023


Hi,Maintainer,thanks for reading.I am glad to report a secure problem to you.

I found that your forum allows users to use markdown syntax to post articles and comments, but there is no corresponding protection means, which is unsafe. Any user can post dangerous content, like the following, which will cause forum users great influence

Proof of Concept



(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting

We are processing your report and will contact the leobbs team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
2 months ago


i am looking in it

cnmade validated this vulnerability 2 months ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
cnmade marked this as fixed in v2.0.4 with commit a68620 2 months ago
cnmade has been awarded the fix bounty
This vulnerability will not receive a CVE
cnmade published this vulnerability 2 months ago
cnmade gave praise 2 months ago
Thanks for help
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation