Apache Answer | Privacy leak & user information disclosure
Information
| Software Type | Web App |
|---|---|
| Software Name | Apache Answer |
| Affected Version | 1.4.1 |
| Software Vendor | Apache Software Foundation |
| Software Link | https://github.com/apache/answer |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVE Link | https://www.cve.org/CVERecord?id=CVE-2025-29868 |
| Affected Assets | 3+ |
| Date of Discovery | Feb 2nd 2025 |
| PoC Exploit | N/A |
Description
This vulnerability was identified as a result of collaborative efforts between Hamed Kohi (myself) & Luke Smith.
In Apache Answer Q&A v1.4.1, Markdown image embedding allows users to insert external images, but the request to fetch the image is made by the browser (client) rather than the server. This means that externally controlled resources are loaded to the user's browser every time the page is visited.
We managed to embed our payload inside a comment and the payload also became invisible, this would allow us to steal IP & browser data from users. Initially when we reported this issue on Feb 2nd 2025, the Apache team rejected it but they changed their mind on March 12th & assigned us a CVE with a CVSS score of 6.5 (Medium).
Reproduce
To reproduce, navigate to [/questions/10010000000000002] and add a comment with Markdown:
When the comment is viewed, the server will make a request to 127.0.0.1:7500. An attacker can use this behavior to:
- Log user IP addresses by embedding a URL that points to an external server (for example, https://webhook.site/your-unique-url)
- Log browser user-agents and determine the user's operating system & browser information
Mitigation
In the new version, administrators can set whether external content can be displayed.
Proof of Concept (PoC) Video
Posted on: April 11, 2025 11:47 AM