Cross-site Scripting (XSS) - Stored in erudika/scoold

Valid

Reported on

Dec 31st 2021


Description

The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []() syntax to try an XSS attack. It seemed to validate javascript:* on the backend. So I couldn't use it. However, according to RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.

Proof of Concept

1. Open the https://pro.scoold.com/questions/ask
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.

Video : https://www.youtube.com/watch?v=z1Jep-4St48

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the erudika/scoold team within 24 hours. a month ago
Pocas modified their report
a month ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a month ago
We have sent a follow up to the erudika/scoold team. We will try again in 7 days. 24 days ago
Alex
24 days ago

Maintainer


Valid, even though the payload is blocked in all browsers because of the Content Security Policy in place.

Alex Bogdanovski validated this vulnerability 24 days ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on ae3e5e 24 days ago
Alex Bogdanovski has been awarded the fix bounty
Pocas
24 days ago

Researcher


Thank you for the patch 🤗 Happy new year