Cross-site Scripting (XSS) - Stored in answerdev/answer
Description
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in answerdev/answer prior to 1.0.6 via the user bio field due to insufficient Markdown sanitization.
CVE-2023-1245 is a stored cross-site scripting (XSS) vulnerability in the answerdev/answer Q&A platform, affecting versions prior to 1.0.6. The root cause lies in the user profile bio field, which accepts Markdown input. The application's Markdown2HTML function converts Markdown to HTML without proper sanitization, allowing attackers to inject arbitrary HTML and JavaScript. This issue was addressed in a commit that introduced Markdown2BasicHTML, which uses the bluemonday policy to restrict HTML to only basic elements (p, b, br) and img with src attribute [1][3].
To exploit this vulnerability, an attacker must be an authenticated user with the ability to edit their profile bio. By crafting a malicious Markdown payload containing JavaScript (e.g., via ` or ` tags), the attacker can store the payload in the bio field. When other users view the attacker's profile, the injected script executes in their browser context. No special privileges or additional access are required beyond the ability to update one's own profile [1][4].
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of cookies or authentication tokens, defacement of the profile page, or other actions performed on behalf of the victim. The impact is limited by the browser's same-origin policy but can affect all users who view the attacker's profile [1][4].
The vulnerability has been fixed in answerdev/answer version 1.0.6. The fix replaces the vulnerable Markdown2HTML function with Markdown2BasicHTML, which sanitizes the output to permit only safe HTML elements and attributes. Users are strongly advised to upgrade to 1.0.6 or later. No workarounds are available for earlier versions [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/answerdev/answerGo | < 1.0.6 | 1.0.6 |
Affected products
2- answerdev/answerdev/answerv5Range: unspecified
Patches
171a4cdac8111update user about me markdown
2 files changed · +12 −1
internal/schema/user_schema.go+1 −1 modified@@ -309,7 +309,7 @@ func (req *UpdateInfoRequest) Check() (errFields []*validator.FormErrorField, er return errFields, errors.BadRequest(reason.UsernameInvalid) } } - req.BioHTML = converter.Markdown2HTML(req.Bio) + req.BioHTML = converter.Markdown2BasicHTML(req.Bio) return nil, nil }
pkg/converter/markdown.go+11 −0 modified@@ -35,6 +35,17 @@ func Markdown2HTML(source string) string { return buf.String() } +// Markdown2BasicHTML convert markdown to html ,Only basic syntax can be used +func Markdown2BasicHTML(source string) string { + content := Markdown2HTML(source) + filter := bluemonday.NewPolicy() + filter.AllowElements("p", "b", "br") + filter.AllowAttrs("src").OnElements("img") + filter.AddSpaceWhenStrippingTag(true) + content = filter.Sanitize(content) + return content +} + type DangerousHTMLFilterExtension struct { }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.