bufanyun HotGo Cross-Site Scripting Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in bufanyun HotGo versions 1.0 and 2.0. The issue arises in the editNotice endpoint, where user-supplied content is accepted without proper sanitization or validation. This content is stored in the database and later rendered on the frontend using Vue.js v-html directive, which also lacks sanitization. As a result, authenticated attackers can inject arbitrary JavaScript that executes in the browsers of users viewing the notice, potentially leading to session hijacking or credential theft.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the notice.

Reproduction

To reproduce this vulnerability, create a system notice through the editNotice endpoint. Include an XSS payload, such as an image tag with an onerror event, in the content field. Once the notice is saved, it will execute the injected script when viewed.

Remediation

It is recommended to implement HTML sanitization using libraries like DOMPurify, avoid using v-html in favor of safer Vue.js rendering options, and validate input against a whitelist of allowed HTML tags and attributes.