Yangzongzhuan RuoYi Swagger UI Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Yangzongzhuan RuoYi versions through 4.8.1. This issue arises from improper access control on Swagger-related interfaces, allowing unauthenticated access to internal API documentation. The vulnerability is located in the Swagger UI component, specifically within the file '/swagger-ui/index.html'. The XSS is triggered by manipulating the 'configUrl' parameter, which is not properly sanitized before being rendered, enabling the execution of JavaScript payloads.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access a Swagger UI instance on a Yangzongzhuan RuoYi server version through 4.8.1. Once there, navigate to the 'swagger-ui/index.html' file and append a 'configUrl' parameter with a URL pointing to a JSON file that contains a malicious payload. The injected script will be executed due to the way Swagger UI processes the 'configUrl' parameter.