Cross-site Scripting (XSS) - Stored in erudika/scoold


Reported on

Dec 31st 2021


The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []() syntax to try an XSS attack. It seemed to validate javascript:* on the backend. So I couldn't use it. However, according to RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.

Proof of Concept

1. Open the
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the erudika/scoold team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago
We have sent a follow up to the erudika/scoold team. We will try again in 4 days. 2 years ago
2 years ago


Valid, even though the payload is blocked in all browsers because of the Content Security Policy in place.

Alex Bogdanovski validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit ae3e5e 2 years ago
Alex Bogdanovski has been awarded the fix bounty
2 years ago


Thank you for the patch 🤗 Happy new year

to join this conversation