VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 17, 2018· Updated Aug 5, 2024

CVE-2018-12104

CVE-2018-12104

Description

Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/new_report.kp URI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Airbnb Knowledge Repo 0.7.4 is vulnerable to stored XSS via post comments, allowing unauthenticated attackers to execute arbitrary JavaScript in victims' browsers.

Vulnerability

Airbnb Knowledge Repo version 0.7.4 contains a stored cross-site scripting (XSS) vulnerability in the post comments functionality [1][4]. An attacker can inject arbitrary JavaScript or HTML into the comment field, which is then rendered without proper sanitization when the post is viewed. The vulnerable endpoint is /post/posts/new_report.kp [1]. The issue is caused by insufficient output encoding of user-supplied input in the comment submission and display pipeline.

Exploitation

An attacker does not need authentication; the post comments feature is accessible to unauthenticated users on public posts [4]. The attack requires only that a victim views the post containing the malicious comment. The attacker submits a comment containing a payload such as `` [4]. When any user (including an authenticated user or administrator) views the post, the payload executes in their browser context.

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session on the Knowledge Repo instance [4]. The attacker can perform a wide range of client-side attacks, including session hijacking, defacement, phishing, redirection to malicious sites, or browser-based cryptomining [4]. The attacker does not gain server-side access, but can compromise the integrity and confidentiality of the victim's interactions with the application.

Mitigation

As of the available references, no patched version has been released that addresses this vulnerability [3][4]. The project maintainers were notified via a GitHub issue [4]. Users should apply general web application security best practices, such as implementing context-sensitive output encoding and input validation, as recommended by the OWASP XSS Prevention Cheat Sheet [4]. If not already done, consider disabling anonymous comments or using a web application firewall (WAF) to filter malicious inputs until a fix is available.

References
  1. NVD - CVE-2018-12104
  2. GitHub - airbnb/knowledge-repo: A next-generation curated knowledge sharing platform for data scientists and other technical professions.
  3. XSS vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
knowledge-repoPyPI
< 0.9.00.9.0

Affected products

2

Patches

1
f026ad2afea1

Fix XSS vulnerability by escaping comments

https://github.com/airbnb/knowledge-repoNaoya KanaiMay 30, 2020via ghsa
commit
1 file changed · +2 3
  • knowledge_repo/app/routes/comment.py+2 3 modified
    @@ -6,7 +6,7 @@
   - /delete_comment
 """
 import logging
-from flask import request, Blueprint, g
+from flask import request, Blueprint, g, escape
 
 from .. import permissions
 from ..proxies import db_session, current_user
@@ -43,8 +43,7 @@ def post_comment():
                              .first())
     else:
         comment = Comment(post_id=post.id)
-
-    comment.text = data['text']
+    comment.text = escape(data['text'])
     comment.user_id = current_user.id
     db_session.add(comment)
     db_session.commit()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.