Executive Summary

This vulnerability is a markdown-based Cross-Site Scripting (XSS) issue in FastapiAdmin version 2.2.0 and earlier. It occurs in the /system/notice/create endpoint where the notice_content parameter accepts user input without proper sanitization or validation.

The input is stored directly in the database and later rendered on the frontend using wangEditor, which does not have built-in XSS protection. This allows authenticated attackers to inject malicious JavaScript code into notices.

When other users view the notice details, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or other harmful actions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the browsers of users who view the compromised notices.

• Session hijacking, where attackers can take over user sessions.
• Credential theft, potentially exposing user login information.
• Execution of other malicious actions on behalf of the victim users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /api/v1/system/notice/create endpoint for improper sanitization of the notice_content parameter. An authenticated user can attempt to inject a crafted payload such as <img src=x onerror='alert(1)' /> into the notice_content field and then observe if the payload executes when viewing the notice details in the frontend.

To detect this on your system, you can use tools like curl or HTTP clients to send a POST request with the malicious payload to the endpoint and then check if the payload executes in the browser.

• Example curl command to test injection: curl -X POST -H "Content-Type: application/json" -d '{"notice_content":"<img src=x onerror=alert(1)>"}' https://your-fastapiadmin-domain/api/v1/system/notice/create -b cookie.txt

After injecting, access the notice details page in a browser to see if the alert popup appears, indicating the XSS vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper HTML sanitization on the notice_content input before rendering it in the frontend.

• Use a sanitization library such as DOMPurify to clean the HTML content before rendering with wangEditor.
• Consider switching to a markdown editor with built-in XSS protection, like mavonEditor.
• Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.

Useful 0 Not Useful 0

Compliance Impact

The markdown-based Cross-Site Scripting (XSS) vulnerability in FastapiAdmin v2.2.0 allows attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking and credential theft.

Such unauthorized access and data exposure could result in violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling attackers to compromise user data confidentiality and integrity.

Useful 0 Not Useful 0