VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 21, 2023· Updated Mar 12, 2025

Cross-site Scripting (XSS) - Stored in answerdev/answer

CVE-2023-0934

Description

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in answerdev/answer prior to 1.0.5 allows attackers to inject malicious scripts via unsanitized input fields.

CVE-2023-0934 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Answer Q&A platform (now Apache Answer) in versions prior to 1.0.5. The root cause is insufficient input sanitization in multiple fields, such as name, short description, and site URL, allowing attackers to inject arbitrary HTML or JavaScript code [1][3].

Exploitation does not require authentication and can be performed by any user who can submit data through forms. The injected payload is stored on the server and executed when other users view the affected pages, leading to potential session hijacking, defacement, or data theft [4].

The vulnerability was addressed in version 1.0.5 by adding a custom 'sanitizer' validation tag to the affected input fields, which strips or encodes malicious content [3]. Users are strongly advised to upgrade to answer 1.0.5 or later to mitigate the risk.

No other mitigations or workarounds have been documented, and the CVE has been actively tracked by huntr.dev as part of their bug bounty platform [4].

References
  1. NVD - CVE-2023-0934
  2. add input sanitizer · apache/answer@edc0694
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/answerdev/answerGo
< 1.0.51.0.5

Affected products

2

Patches

1
edc06942d51f

add input sanitizer

https://github.com/answerdev/answeraichy126Feb 15, 2023via ghsa
commit
3 files changed · +24 6
  • internal/base/validator/validator.go+18 0 modified
    @@ -33,6 +33,7 @@ import (
 	"github.com/go-playground/validator/v10/translations/vi"
 	"github.com/go-playground/validator/v10/translations/zh"
 	"github.com/go-playground/validator/v10/translations/zh_tw"
+	"github.com/microcosm-cc/bluemonday"
 	myErrors "github.com/segmentfault/pacman/errors"
 	"github.com/segmentfault/pacman/i18n"
 	"github.com/segmentfault/pacman/log"
@@ -116,10 +117,27 @@ func NotBlank(fl validator.FieldLevel) (res bool) {
 	}
 }
 
+func Sanitizer(fl validator.FieldLevel) (res bool) {
+	field := fl.Field()
+	switch field.Kind() {
+	case reflect.String:
+		filter := bluemonday.UGCPolicy()
+		field.SetString(filter.Sanitize(field.String()))
+		return true
+	case reflect.Chan, reflect.Map, reflect.Slice, reflect.Array:
+		return field.Len() > 0
+	case reflect.Ptr, reflect.Interface, reflect.Func:
+		return !field.IsNil()
+	default:
+		return field.IsValid() && field.Interface() != reflect.Zero(field.Type()).Interface()
+	}
+}
+
 func createDefaultValidator(la i18n.Language) *validator.Validate {
 	validate := validator.New()
 	// _ = validate.RegisterValidation("notblank", validators.NotBlank)
 	_ = validate.RegisterValidation("notblank", NotBlank)
+	_ = validate.RegisterValidation("sanitizer", Sanitizer)
 	validate.RegisterTagNameFunc(func(fld reflect.StructField) (res string) {
 		defer func() {
 			if len(res) > 0 {
  • internal/controller_admin/siteinfo_controller.go+1 1 modified
    @@ -205,7 +205,7 @@ func (sc *SiteInfoController) UpdateGeneral(ctx *gin.Context) {
 		return
 	}
 	err := sc.siteInfoService.SaveSiteGeneral(ctx, req)
-	handler.HandleResponse(ctx, err, nil)
+	handler.HandleResponse(ctx, err, req)
 }
 
 // UpdateInterface update site interface
  • internal/schema/siteinfo_schema.go+5 5 modified
    @@ -18,11 +18,11 @@ const PermaLinkQuestionID = 2
 
 // SiteGeneralReq site general request
 type SiteGeneralReq struct {
-	Name             string `validate:"required,gt=1,lte=128" form:"name" json:"name"`
-	ShortDescription string `validate:"omitempty,gt=3,lte=255" form:"short_description" json:"short_description"`
-	Description      string `validate:"omitempty,gt=3,lte=2000" form:"description" json:"description"`
-	SiteUrl          string `validate:"required,gt=1,lte=512,url" form:"site_url" json:"site_url"`
-	ContactEmail     string `validate:"required,gt=1,lte=512,email" form:"contact_email" json:"contact_email"`
+	Name             string `validate:"required,sanitizer,gt=1,lte=128" form:"name" json:"name"`
+	ShortDescription string `validate:"omitempty,sanitizer,gt=3,lte=255" form:"short_description" json:"short_description"`
+	Description      string `validate:"omitempty,sanitizer,gt=3,lte=2000" form:"description" json:"description"`
+	SiteUrl          string `validate:"required,sanitizer,gt=1,lte=512,url" form:"site_url" json:"site_url"`
+	ContactEmail     string `validate:"required,sanitizer,gt=1,lte=512,email" form:"contact_email" json:"contact_email"`
 }
 
 type SiteSeoReq struct {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.