Stored XSS in Sitename in answerdev/answer
Feb 22nd 2023
There is a presence of stored xss in username, which directly gets rendered whenever the page is opened.
Proof of Concept
1: use the below command to clone the repo in your machine git clone https://github.com/answerdev/answer.git 2: Navigate inside the repo cd answer 3: Use docker-compose to spin it up locally sudo docker-compose up 4: The installation will now be available in http://localhost:9080/install -> open the same in browser 5: While setting up the installation, choose SQLite 6: In the next page it will ask for the sitename. Use <script>alert(1)</script> as the sitename and fill up the rest of the details of the page as it is. Once the page is opened, it will pop up the stored xss payload directly.