yangzongzhuan RuoYi Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in yangzongzhuan RuoYi versions through 4.8.1. The issue resides in the SysNoticeController's addSave function, where user input is not properly sanitized before being saved to the database. This unsanitized input is later displayed to users, triggering the XSS payloads. The vulnerability can be exploited remotely, but requires user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the notification announcement section. Create a new announcement and insert a script payload into the notice content. Once the announcement is saved, the injected script will execute when the notification is viewed.