CVE-2023-43193: Submitty Cross-Site Scripting (XSS) Vulnerability Report


Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

CVSS Score




Problem Details


This report identifies a Cross-Site Scripting (XSS) vulnerability within Submitty, specifically within the Markdown rendering functionality of the forum component. The vulnerability arises due to inadequate sanitization of user input in Markdown links. An attacker can exploit this flaw by crafting a malicious Markdown link that contains embedded JavaScript code.

Markdown, being a lightweight markup language, is widely used for formatting text on the web. Submitty uses Markdown for various user-generated content areas. However, the current implementation does not properly escape JavaScript URLs (javascript:) within the links. As a result, when a Markdown link containing JavaScript is rendered, the script gets executed instead of being treated as a regular hyperlink.

This type of XSS vulnerability is particularly concerning because:

Affected Area

The forum component of Submitty.

Root Cause

The vulnerability originates from the use of the CommonMarkConverter library in the application for rendering Markdown content. While CommonMarkConverter is a robust and popular choice for converting Markdown to HTML, its security relies heavily on proper configuration.

The primary cause of this XSS vulnerability is a misconfiguration in the CommonMarkConverter usage. Specifically, the allow_unsafe_links option was not explicitly set to false. This configuration flag controls whether the parser permits javascript: URLs, which are inherently dangerous as they can be used to execute JavaScript code directly in the browser. By default, CommonMarkConverter is designed to allow all links, including javascript: URLs, considering some use cases might require such functionality. However, this default behavior poses a significant security risk in environments where user-generated content is parsed and rendered.

Steps to Reproduce

Following steps are required to reproduce the issue.

  1. Access to the forum component of Submitty (any version before v22.06.00).
  2. Create a new post, use Markdown and put [XSS](javascript:alert('XSS')) as payload.
  3. Submit the new post.
  4. Click the link XSS, then notice that the script javascript:alert('XSS') has been executed.


When using the CommonMarkConverter library, the allow_unsafe_links option should be explicitly set to false.


The vulnerability has been fixed as a part of pull request 8032.

Report prepared by: Fu Chai Date: 10/31/2023