Moderate severityNVD Advisory· Published Mar 7, 2023· Updated Mar 5, 2025

Cross-site Scripting (XSS) - Stored in answerdev/answer

CVE-2023-1242

Description

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Answer Q&A platform prior to 1.0.6 allows attackers to inject arbitrary JavaScript via user-contributed content.

Vulnerability

Overview

CVE-2023-1242 is a stored cross-site scripting (XSS) vulnerability in the Answer Q&A platform (now Apache Answer) prior to version 1.0.6. The flaw exists in the GetExcerpt function, which processes user-supplied content without proper sanitization, allowing malicious HTML/JavaScript to be stored and later rendered to other users [1][2].

Exploitation

An attacker with the ability to post content (e.g., questions, answers, or comments) can inject a crafted payload. No special privileges beyond standard user access are required. The injected script is stored on the server and executed in the browsers of any user viewing the affected content, including administrators [4].

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying page content, or redirecting users to malicious sites. This can lead to account takeover, data exfiltration, or further compromise of the application [2][4].

Mitigation

The vulnerability was fixed in Answer version 1.0.6 via commit 90bfa0d [1]. Users running earlier versions should upgrade immediately. No workarounds have been published, and the project has since moved to the Apache Software Foundation [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/answerdev/answerGo	< 1.0.6	1.0.6

Affected products

ghsa-coords
pkg:golang/github.com/answerdev/answer
Range: < 1.0.6
answerdev/answerdev/answerv5
Range: unspecified

Patches

90bfa0dcc7b4

update GetExcerpt

https://github.com/answerdev/answeraichy126Feb 24, 2023via ghsa

commit

1 file changed · +1 −1

internal/schema/tag_schema.go+1 −1 modified

@@ -90,7 +90,7 @@ type GetTagResp struct {
 }
 
 func (tr *GetTagResp) GetExcerpt() {
-	excerpt := strings.TrimSpace(tr.OriginalText)
+	excerpt := strings.TrimSpace(tr.ParsedText)
 	idx := strings.Index(excerpt, "\n")
 	if idx >= 0 {
 		excerpt = excerpt[0:idx]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qrwm-xqfr-4vhvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1242ghsaADVISORY
github.com/answerdev/answer/commit/90bfa0dcc7b49482f1d1e31aee3ab073f3c13dd9ghsaWEB
huntr.dev/bounties/71c24c5e-ceb2-45cf-bda7-fa195d37e289ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000