CVE-2018-17574

Vulnerability

YApi version 1.3.23 (and possibly earlier) contains a stored cross-site scripting (XSS) vulnerability in the project name field. The application does not sanitize user input when creating or editing a project, allowing an attacker to inject arbitrary HTML/JavaScript. This affects the name parameter during project creation [1][4].

Exploitation

An attacker must have a registered account on the YApi instance. They create a new project and set the project name to a malicious payload such as xss">. The project must be made public or added to a public group so that other users (including managers and administrators) can view it. When any user views the operation dynamics of that project, the injected script executes in their browser [4].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in theft of session cookies, defacement, or other malicious actions performed on behalf of the victim. The impact is limited to the browser session of users who view the project dynamics [2][4].

Mitigation

The vulnerability was fixed in YApi version 1.3.24 (or later). Users should upgrade to the latest version. The GitHub advisory [3] indicates that versions before 1.3.23 are affected. No workaround is documented; upgrading is the recommended action. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.