Cross-site Scripting (XSS) - Stored in erudika/scoold
Dec 31st 2021
The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the
() syntax to try an XSS attack. It seemed to validate
RFC3986, the scheme can use uppercase letters! So I was able to bypass it using this.
Proof of Concept
Through this vulnerability, an attacker is capable to execute malicious scripts.