Cross-site Scripting (XSS) - Stored in erudika/scoold


Reported on

Dec 31st 2021


The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []() syntax to try an XSS attack. It seemed to validate javascript:* on the backend. So I couldn't use it. However, according to RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.

Proof of Concept

1. Open the
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the erudika/scoold team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a year ago
We have sent a follow up to the erudika/scoold team. We will try again in 7 days. a year ago
a year ago


Valid, even though the payload is blocked in all browsers because of the Content Security Policy in place.

Alex Bogdanovski validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit ae3e5e a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Thank you for the patch 🤗 Happy new year

to join this conversation