| 제목 | z-9527 admin ≤ commit 72aaf2d Cross Site Scripting |
|---|
| 설명 | A stored Cross-Site Scripting (XSS) vulnerability exists in Z-9527 Admin ≤ commit 72aaf2d at the message board functionality, where the /message/create endpoint accepts user-supplied message content without sanitization or validation, stores it directly in the database, and the React frontend renders this content using dangerouslySetInnerHTML without sanitization or validation. As a result, authenticated attackers can inject arbitrary JavaScript that executes in the browsers of users viewing the message board, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of victims. Mitigations include implementing HTML sanitization using libraries like DOMPurify, avoiding dangerouslySetInnerHTML in favor of safe React rendering, implementing Content Security Policy (CSP) headers, encoding output context-appropriately, and validating input against a whitelist of allowed HTML tags and attributes. |
|---|
| 원천 | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-10 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2026. 03. 16. AM 04:45 (22 날 ago) |
|---|
| 모더레이션 | 2026. 03. 31. PM 06:11 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354442 [z-9527 admin 1.0/2.0 Message Create Endpoint message.js 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|