I. Vulnerability Overview

1.1 Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Notice module of SmartAdmin(https://gitee.com/lab1024/smart-admin) v3.0, an enterprise-level rapid development platform. Attackers can inject malicious JavaScript code through the database, which will be executed in the browser of other users when they view the malicious notice.

1.2 Affected Versions

• SmartAdmin v3.0 (Java8 SpringBoot2)

II. Vulnerability Details

2.1 Vulnerability Classification

• CWE-79: Cross-site Scripting (XSS)

2.2 Affected Components

2.3 Root Cause

1. No input sanitization on frontend
   • Rich text editor sends raw HTML to backend without filtering
   • No DOMPurify or similar library used for HTML cleaning
2. No output encoding on frontend
   • Detail page uses v-html directive to render raw HTML
   • No security processing applied to HTML content
3. No validation on backend
   • Backend stores HTML content directly from frontend submission
   • No Jsoup or similar library used for HTML sanitization

III. Technical Analysis

3.1 Frontend Vulnerable Code

File: smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue

Vulnerable Code (Line 75-77):