Cross-site Scripting (XSS) - Stored in answerdev/answer
Description
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Answer Q&A platform prior to 1.0.6 allows attackers to inject arbitrary JavaScript via the site name field.
Vulnerability
Overview
CVE-2023-1244 is a stored cross-site scripting (XSS) vulnerability in the Answer Q&A platform, affecting versions prior to 1.0.6. The root cause is insufficient sanitization of the site_name input during the initial setup process. The commit that fixes the issue adds a custom sanitizer validation tag to the SiteName field, indicating that user-supplied HTML or JavaScript was not being properly filtered before storage [1][3].
Exploitation
An attacker with access to the initial setup interface (or any subsequent administrative interface that allows modifying the site name) can inject malicious scripts into the site_name parameter. Because the input is stored and later rendered on pages throughout the application, the XSS is persistent. No authentication is required if the attacker can trigger the setup flow, but in practice, exploitation typically requires administrative privileges or a misconfiguration that exposes the setup endpoint [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user who views a page containing the injected site name. This can lead to session hijacking, defacement, or theft of sensitive data. The vulnerability is classified as stored XSS, which is generally considered high severity because the malicious payload persists and affects multiple users without requiring additional interaction [1][4].
Mitigation
The issue was patched in Answer version 1.0.6 by adding input sanitization to the site_name field. Users should upgrade to the latest version immediately. No workarounds are documented, but restricting access to the setup and administrative interfaces can reduce the attack surface [2][3].
- NVD - CVE-2023-1244
- GitHub - apache/answer: A Q&A platform software for teams at any scales. Whether it's a community forum, help center, or knowledge management platform, you can always count on Apache Answer.
- update site_name sanitizer · apache/answer@9870ed8
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/answerdev/answerGo | < 1.0.6 | 1.0.6 |
Affected products
2- answerdev/answerdev/answerv5Range: unspecified
Patches
19870ed87fb24update site_name sanitizer
1 file changed · +1 −1
internal/install/install_req.go+1 −1 modified@@ -78,7 +78,7 @@ type InitEnvironmentResp struct { // InitBaseInfoReq init base info request type InitBaseInfoReq struct { Language string `validate:"required,gt=0,lte=30" json:"lang"` - SiteName string `validate:"required,gt=0,lte=30" json:"site_name"` + SiteName string `validate:"required,sanitizer,gt=0,lte=30" json:"site_name"` SiteURL string `validate:"required,gt=0,lte=512,url" json:"site_url"` ContactEmail string `validate:"required,email,gt=0,lte=500" json:"contact_email"` AdminName string `validate:"required,gt=3,lte=30" json:"name"`
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.