Paragon Initiative Enterprises: Airship: Persistent XSS via Comment

ID H1:301973
Type hackerone
Reporter foobar7
Modified 2018-04-24T08:47:31


Affected: Airship 2.0.0 (commit 15bdc0d)


Medium 6.1


The "name" field of a comment on a blog post is vulnerable to persistent XSS.

When replying to a comment, the comment name is inserted into the DOM without encoding, leading to persistent XSS.

By default, comments are open to anonymous users, although that can be disabled by an administrator.

Mitigating Factors

There are a couple of mitigating factors.

Airship uses a CSP per default, which makes exploitation more difficult. The CSP can be disabled by an administrator though, and there may be attack possibilities even with the default CSP.

The attacked user has to actively click on "reply" for the payload to execute, meaning an attacker has to entice the user to do so.

Finally, the payload is shown in plaintext in the username field, which might make the attacked user suspicious. An attacker can try to hide it by using an overly long or complicated name.


The vulnerability exists in file /static/Hull/comments.js?, specifically these lines where the author name is read out of the DOM and inserted into it again without proper encoding:

window.replyTo = function(commentId, author) {
        "<div class='blog-comment-label form-column'></div><div class='form-comment-field form-column'>" +
        "<input type='hidden' name='reply_to' value='" + commentId + "' />" +
            "Replying to " + author + " (Comment #" + commentId + ")" +


  1. Under bridge/admin/settings, check "allow unsafe inline" under javascript.
  2. Leave a comment on a blog post. As name, use: '"><img src=no onerror=alert(1)>
  3. Click on "Reply". The name will be read out via javascript and inserted into the DOM.


With a successful exploitation, an attacker can among other perform arbitrary actions in the name of the attacked user, such as adding a new administrator, and thus gain full access to the application.