Isso Commenting Server Stored Cross-Site Scripting Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Isso, a lightweight commenting server, affecting versions prior to 0.13.2. The issue arises in the website and author comment fields, where single and double quotes were not properly HTML-escaped. This flaw allows injection of arbitrary event handlers into the website field, as the frontend directly concatenates the unescaped URL into a single-quoted href attribute. The vulnerability is also present in the comment edit and moderation edit endpoints, which lack proper escaping altogether.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user viewing the comments. In this case, the XSS payload is triggered by simple mouse movement, due to the injection of event handlers into the website field.

Reproduction

To reproduce this vulnerability, post a comment with a crafted website URL that includes a single quote and an event handler payload, such as an 'onmouseover' or 'onclick' event. The comment will be saved in the database, and the payload will execute when the comment is viewed, triggered by the mouse movement over the injected link. This can be done anonymously, without any authentication, as long as comment moderation is disabled.

Remediation

Users are advised to upgrade to Isso version 0.13.2 or later, which includes the necessary patch. The vulnerability can also be partially mitigated by enabling comment moderation, but this does not fully resolve the issue, as a moderator could still activate a malicious comment.