kerwincui FastBee Stored Cross-Site Scripting Vulnerability in SysNoticeController

A stored cross-site scripting vulnerability has been identified in kerwincui FastBee versions through 1.2.1. The issue resides in the System Notice Handler, specifically within the Add function of the SysNoticeController.java file. The vulnerability arises because the application treats the noticeContent argument as trusted HTML, storing it directly in the backend. When rendered on the frontend using v-html, this bypasses Vue's default escaping, executing attacker-controlled markup and creating a full stored XSS chain. The vulnerability can be exploited remotely by users with system:notice:add or system:notice:edit permissions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, first obtain an authorized token by sending a GET request to the /getInfo endpoint with the appropriate authorization header. Once the token is received, create a notice by sending a POST request to the /system/notice endpoint. Include the authorization token in the header and payload data that contains the XSS payload in the noticeContent field. After the notice is created, the XSS payload will be executed when the notice is viewed.