Cross-site Scripting (XSS) - Stored in erudika/scoold

Valid

Reported on

Dec 31st 2021

Description

The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []() syntax to try an XSS attack. It seemed to validate javascript:* on the backend. So I couldn't use it. However, according to RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.

Proof of Concept

1. Open the https://pro.scoold.com/questions/ask
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.

Video : https://www.youtube.com/watch?v=z1Jep-4St48

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the erudika/scoold team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a year ago
We have sent a follow up to the erudika/scoold team. We will try again in 7 days. a year ago
Alex
a year ago

Maintainer

Valid, even though the payload is blocked in all browsers because of the Content Security Policy in place.

Alex Bogdanovski validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit ae3e5e a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
Pocas
a year ago

Researcher

Thank you for the patch 🤗 Happy new year

to join this conversation