z-9527 Admin Cross-Site Scripting Vulnerability in Message Create Endpoint

A stored cross-site scripting (XSS) vulnerability exists in z-9527 Admin versions 1.0 and 2.0, up to commit 72aaf2d. The issue arises in the message create endpoint, where user-supplied content is accepted without proper sanitization or validation. This content is then stored in the database and rendered on the React frontend using dangerouslySetInnerHTML, creating an opportunity for authenticated attackers to inject arbitrary JavaScript. The injected script executes in the browsers of users viewing the message board, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the victims.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the message board.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/message/create' endpoint with a payload that includes JavaScript code, such as an image tag with an 'onerror' event. The injected script will execute when the message is viewed on the board.

Remediation

It is recommended to implement HTML sanitization using libraries like DOMPurify, avoid using dangerouslySetInnerHTML in React, and validate input against a whitelist of allowed HTML tags and attributes.