Helpy Stored Cross-Site Scripting Vulnerability in Knowledge Base Document Rendering

A stored cross-site scripting vulnerability has been identified in Helpy version 2.8.0. This issue arises in the knowledge base document rendering process, where an authenticated attacker with admin or agent editor privileges can inject arbitrary HTML or JavaScript into the body field of a knowledge base document. The injected script is executed in the browser of any user who views the rendered article, including unauthenticated visitors. The vulnerability is rooted in the DocsHelper's sanitize_doc_content method, which improperly marks content as safe without adequate sanitization, allowing malicious scripts to run.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the document.

Reproduction

To reproduce this vulnerability, log in to Helpy 2.8.0 as an admin user. Navigate to the 'New Document' page in the admin panel and select a category. In the body field, switch to the HTML editor and paste a script payload, such as one containing JavaScript code. After saving the document, the injected script will execute when the document is viewed as an unauthenticated user.