Headline
CVE-2021-46372: Cross-site Scripting (XSS) - Stored in scoold
Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters.
Description
The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the []()
syntax to try an XSS attack. It seemed to validate javascript:*
on the backend. So I couldn’t use it. However, according to RFC3986
, the scheme can use uppercase letters! So I was able to bypass it using this.
Proof of Concept
1. Open the https://pro.scoold.com/questions/ask
2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
3. Click the XSS text in the Q&A post.
Video : https://www.youtube.com/watch?v=z1Jep-4St48
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.