CVE-2023-1536: Store XSS in create tag in answer

Description

Feature create tag permit attacker injection html tag and execute it.

Proof of Concept

1. Add question
2. Create tag with payload in description:

<img src=x onerror=alert(1) >

3. Post your question
4. Go to link http://<your domain>/tags/<id tag>/timeline  and click created. Payload executed.

POC

https://drive.google.com/file/d/1KncWqifwi_VTbTxmCNotwMXeUkNgF9Ji/view?usp=sharing

Impact

Executing JavaScript in victim’s session which leads to potential account takeover, perform actions as that user, …