Youlaitech Vue3-Element-Admin Cross-Site Scripting Vulnerability in Notice Component

A stored cross-site scripting vulnerability has been identified in Youlaitech Vue3-Element-Admin versions through 3.4.0. This issue resides in the notice management system, specifically within the file 'src/views/system/notice/index.vue'. The vulnerability allows authenticated users with permission to create or edit notices to inject malicious JavaScript. This injected script executes in the browsers of users who view the affected notice. The vulnerability arises from inadequate sanitization of HTML content, enabling the execution of scripts via the 'v-html' directive, which bypasses Vue's built-in XSS protections.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to the theft of authentication tokens and session data, manipulation of page content, and redirection of users to phishing websites.

Reproduction

To reproduce this vulnerability, an authenticated user with notice creation or editing privileges can use the WangEditor rich text editor to input a notice containing malicious JavaScript embedded within HTML tags. Once the notice is published, any user who views it will trigger the execution of the injected script in their browser.

Remediation

It is recommended to implement server-side sanitization of HTML content before storing it in the database, using libraries like DOMPurify to remove harmful tags and attributes. Additionally, configure WangEditor to restrict input to safe HTML, avoid using 'v-html' for untrusted content, and consider applying a strict Content Security Policy to limit script execution sources.