Isso is a lightweight commenting server implemented in Python and JavaScript, used to add comment functionality to websites. In versions prior to commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, a stored Cross-Site Scripting (XSS) vulnerability exists due to improper neutralization of input during web page generation. The vulnerability specifically affects the website and author comment fields. The website field is HTML-escaped with quote=False, which leaves single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, an attacker can inject a single quote to break out of the attribute context. This allows injection of arbitrary JavaScript event handlers such as onmouseover or onclick, enabling execution of malicious scripts in the context of users viewing the comments. Additionally, the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/) lack any escaping, further increasing risk. Although enabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, it does not fully mitigate the issue because a moderator activating a malicious comment can still expose visitors to the attack. The vulnerability has been addressed and patched in the specified commit. The CVSS 3.1 score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the browsers of users visiting websites using vulnerable versions of isso-comments. This can lead to theft of sensitive information such as session cookies, credentials, or personal data, enabling account takeover or impersonation. Attackers may also perform actions on behalf of users (CSRF-like effects) or deface the website content. Since the vulnerability is stored XSS, malicious scripts persist in the comment database and affect all visitors viewing the compromised comments. Organizations using isso-comments on public-facing websites risk reputational damage, user trust loss, and potential data breaches. The lack of authentication requirement lowers the barrier to exploitation, although user interaction is needed. Enabling comment moderation reduces risk but does not eliminate it, especially if moderators inadvertently approve malicious comments. The vulnerability does not affect system availability but compromises confidentiality and integrity of user interactions. Given isso's niche usage, impact is moderate but significant for affected sites.

1. Upgrade to the patched version of isso-comments that includes commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144 or later, which properly escapes input and fixes the XSS vulnerability. 2. Until patching is possible, enable comment moderation (set moderation = enabled = true in isso.cfg) to prevent unauthenticated users from posting comments directly, thereby raising exploitation difficulty. 3. Review and sanitize all existing comments in the database to remove potentially malicious scripts or HTML. 4. Implement Content Security Policy (CSP) headers on the hosting website to restrict execution of inline scripts and reduce XSS impact. 5. Educate moderators on the risk of approving suspicious comments and establish strict moderation guidelines. 6. Monitor logs and user reports for suspicious activity or complaints related to comment content. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting isso comment fields. 8. Conduct regular security audits and penetration tests on the commenting system and associated web applications to detect similar issues.