Description
Hey @PanJiaChen, once again,
I'm Samprit Das from @redhuntlabs. I’ve identified a medium-severity vulnerability in your application. Please review the attached report and address the issue at your earliest convenience.
Title: Stored Cross-Site Scripting (XSS) via Name and Description Parameters
Observation: During testing, it was observed that the application lacks proper input validation and output encoding for the name and description parameters. As a result, malicious scripts can be stored and executed in the browser of users viewing the affected content, making the application vulnerable to Stored Cross-Site Scripting (XSS) attacks.
Severity: Medium (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
Resources Affected: http://192.168.1.9:9527/dev-api/role
Parameter Affected: name & description
Affected code:
https://github.com/PanJiaChen/vue-element-admin/blob/master/src/views/permission/role.vue#L69
https://github.com/PanJiaChen/vue-element-admin/blob/master/src/views/permission/role.vue#L70
Technical Impact: Stored XSS allows attackers to inject malicious scripts that get executed in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized actions.
Business Impact: This can compromise user trust, damage the application's reputation, and may lead to legal or compliance issues, especially if personal or financial data is affected.
Steps to reproduce:
- Login to the account and click on New Role.
- Then enter the below payloads in the name and description input field and click on Confirm:
<img src=1 onerror=alert(document.cookie)>
<img src=1 onerror=alert(document.location)>
3. Now observe that the first payload has been pop-up with cookie value.
4. Then again observe that the second payload has been pop-up with url location.
Remediation:
Implement server-side input validation to reject or sanitize malicious input in the name and description parameters. Additionally, use proper output encoding/escaping when rendering user inputs in the browser to prevent script execution. Employ Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate XSS risks.