| 제목 | bufanyun HotGo <= v2.0 Cross Site Scripting |
|---|
| 설명 | A stored Cross-Site Scripting (XSS) vulnerability exists in HotGo ≤ v2.0 at the system notice functionality, where the /admin/notice/editNotice endpoint accepts user-supplied content field without sanitization or validation, stores it directly in the database, and the Vue.js frontend renders this content using v-html without sanitization or validation. As a result, authenticated attackers can inject arbitrary JavaScript that executes in the browsers of users viewing the system notice, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of victims. Mitigations include implementing HTML sanitization using libraries like DOMPurify, avoiding v-html in favor of safe Vue.js rendering, implementing Content Security Policy (CSP) headers, encoding output context-appropriately, and validating input against a whitelist of allowed HTML tags and attributes. |
|---|
| 원천 | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/hotgo/vulnerability-2 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2026. 03. 16. AM 04:45 (19 날 ago) |
|---|
| 모더레이션 | 2026. 03. 31. PM 06:13 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354443 [bufanyun HotGo 1.0/2.0 editNotice Endpoint MessageList.vue 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|