Cross-site Scripting (XSS) - Stored in erudika/scoold

Valid

Reported on

Dec 31st 2021


Description

The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []() syntax to try an XSS attack. It seemed to validate javascript:* on the backend. So I couldn't use it. However, according to RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.

Proof of Concept

1. Open the https://pro.scoold.com/questions/ask
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.

Video : https://www.youtube.com/watch?v=z1Jep-4St48

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the erudika/scoold team within 24 hours. 6 months ago
Pocas modified the report
6 months ago
We have contacted a member of the erudika/scoold team and are waiting to hear back 6 months ago
We have sent a follow up to the erudika/scoold team. We will try again in 7 days. 6 months ago
Alex
6 months ago

Maintainer


Valid, even though the payload is blocked in all browsers because of the Content Security Policy in place.

Alex Bogdanovski validated this vulnerability 6 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on ae3e5e 6 months ago
Alex Bogdanovski has been awarded the fix bounty
Pocas
6 months ago

Researcher


Thank you for the patch 🤗 Happy new year

to join this conversation