Cross-site Scripting (XSS) - Stored in answerdev/answer
Description
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Answer prior to 1.0.6 allowed attackers to inject arbitrary JavaScript via comment text, fixed by removing client-side Markdown parsing.
Root
Cause
The Answer Q&A platform, prior to version 1.0.6, contained a stored cross-site scripting (XSS) vulnerability in the comment functionality. The root cause was that user-supplied comment text was parsed into HTML on the client side using the marked library, and the resulting HTML was sent unsanitized to the server and stored. When other users viewed the comment, the stored HTML was rendered directly in the browser without proper output encoding or sanitization [1][2].
Attack
Vector
An authenticated user could exploit this by crafting a comment containing malicious JavaScript, such as an ` tag with an onerror handler or a tag. Because the comment text was processed client-side with marked and the resulting HTML was sent to the server as parsed_text`, the attacker's payload would be stored and later executed in the browser of any user who viewed that comment. No special privileges beyond the ability to post comments were required [1][2].
Impact
Successful exploitation allowed an attacker to execute arbitrary JavaScript in the context of the victim's session. This could be used to steal session cookies, perform actions on behalf of the victim, deface pages, or redirect users to malicious sites. The severity is high because Answer is used as a Q&A platform for teams, where users trust the content and may interact with infected comments [1][3].
Mitigation
The vulnerability was fixed in commit 0566894a2c0e13cf07d877f41467e2e21529fee8, which removed client-side Markdown parsing of comments and instead relied on server-side sanitization by returning the parsed text in the API response. Users of Answer should upgrade to version 1.0.6 or later. No workarounds are documented, but restricting comment creation to trusted users would limit the attack surface until an upgrade is applied [1][2][4].
- NVD - CVE-2023-1237
- fix(comment): Resolving xss issues in comments · apache/answer@0566894
- GitHub - apache/answer: A Q&A platform software for teams at any scales. Whether it's a community forum, help center, or knowledge management platform, you can always count on Apache Answer.
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/answerdev/answerGo | < 1.0.6 | 1.0.6 |
Affected products
2- answerdev/answerdev/answerv5Range: unspecified
Patches
10566894a2c0efix(comment): Resolving xss issues in comments
1 file changed · +4 −9
ui/src/components/Comment/index.tsx+4 −9 modified@@ -5,7 +5,6 @@ import { Link } from 'react-router-dom'; import classNames from 'classnames'; import { unionBy } from 'lodash'; -import { marked } from 'marked'; import * as Types from '@/common/interface'; import { Modal } from '@/components'; @@ -108,15 +107,11 @@ const Comment = ({ objectId, mode, commentId }) => { const users = matchedUsers(item.value); const userNames = unionBy(users.map((user) => user.userName)); const commentMarkDown = parseUserInfo(item.value); - const html = marked.parse(commentMarkDown); - // if (!commentMarkDown || !html) { - // return; - // } + const params = { object_id: objectId, original_text: commentMarkDown, mention_username_list: userNames, - parsed_text: html, ...(item.type === 'reply' ? { reply_comment_id: item.comment_id, @@ -128,13 +123,13 @@ const Comment = ({ objectId, mode, commentId }) => { return updateComment({ ...params, comment_id: item.comment_id, - }).then(() => { + }).then((res) => { setComments( comments.map((comment) => { if (comment.comment_id === item.comment_id) { comment.showEdit = false; - comment.parsed_text = html; - comment.original_text = item.value; + comment.parsed_text = res.parsed_text; + comment.original_text = res.original_text; } return comment; }),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.