CVE-2023-1237: Answer vulnerable to Cross-site Scripting
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24457%
CWE
Published
3/7/2023
Updated
3/13/2023
KEV Status
No
Technology
Go
GoTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/answerdev/answer | go | < 1.0.6 | 1.0.6 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from client-side Markdown processing using the marked library without proper sanitization. The key indicators are:
- Removal of 'marked' import in the patch
- Removal of client-side HTML generation via marked.parse(commentMarkDown)
- Transition to server-side parsed_text handling in the patched version
- Direct storage of unsanitized user input's HTML output in parsed_text pre-patch
- CWE-79 alignment - raw user input was rendered as HTML without neutralization
The vulnerable code path involved taking user-controlled commentMarkDown, parsing it to HTML client-side, and storing/rendering it without adequate XSS protections.