Moderate severityNVD Advisory· Published Mar 21, 2023· Updated Feb 25, 2025

Cross-site Scripting (XSS) - Stored in answerdev/answer

CVE-2023-1535

Description

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Answer prior to 1.0.7 allows attackers to inject arbitrary JavaScript via insufficiently sanitized markdown content.

Vulnerability

Analysis

CVE-2023-1535 is a stored Cross-Site Scripting (XSS) vulnerability in the Answer Q&A platform, affecting all versions prior to 1.0.7. The root cause is insufficient sanitization of user-supplied markdown input, allowing an attacker to embed arbitrary HTML and JavaScript that is later rendered to other users.

Exploitation

An authenticated attacker can exploit this vulnerability by submitting a question, answer, or comment containing malicious markdown. Because the input is not properly filtered, the injected script is stored on the server and executed in the browsers of any visitor viewing the affected content. No special privileges beyond the ability to post content are required [1][4].

Impact

Successful exploitation enables a variety of client-side attacks, including session hijacking, credential theft, forced redirections, and defacement. The attacker can effectively impersonate the victim within the context of the application, potentially performing actions on their behalf [2].

Mitigation

Answer version 1.0.7 includes a commit that addresses the XSS vulnerability by strengthening markdown sanitization [1]. Users are strongly advised to upgrade to this version or later. No workarounds have been released, and the platform's official guidance recommends updating immediately.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/answerdev/answerGo	< 1.0.7	1.0.7

Affected products

ghsa-coords
pkg:golang/github.com/answerdev/answer
Range: < 1.0.7
answerdev/answerdev/answerv5
Range: unspecified

Patches

c3743bad4f2a

update markdown xss

https://github.com/answerdev/answeraichy126Mar 10, 2023via ghsa

commit

1 file changed · +4 −1

pkg/converter/markdown.go+4 −1 modified

@@ -32,7 +32,10 @@ func Markdown2HTML(source string) string {
 		log.Error(err)
 		return source
 	}
-	return buf.String()
+	html := buf.String()
+	filter := bluemonday.NewPolicy()
+	html = filter.Sanitize(html)
+	return html
 }
 
 // Markdown2BasicHTML convert markdown to html ,Only basic syntax can be used

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-83qr-c7m9-wmgwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1535ghsaADVISORY
github.com/answerdev/answer/commit/c3743bad4f2a69f69f8f1e1e5b4b6524fc03da25ghsaWEB
huntr.dev/bounties/4d4b0caa-6d8c-4574-ae7e-e9ef5e2e1a40ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000