CVE-2021-36686

Vulnerability

Overview

CVE-2021-36686 describes a stored cross-site scripting (XSS) vulnerability in YApi version 1.9.1, an open-source API management platform. The flaw resides in the /interface/api edit page, specifically within the 'remarks' field, where user-supplied input is not properly sanitized before being stored and later rendered to other users [1]. The project's GitHub issue tracker confirms that the remarks component, which supports Markdown rendering, fails to escape HTML or SVG payloads, enabling injection of malicious scripts [3].

Attack

Vector

The vulnerability is exploitable by any authenticated user who can edit an API interface. An attacker creates or edits an interface, navigates to the remarks section, and inserts a crafted payload such as ` or ` (depending on whether the remarks editor is in Markdown mode) [3][4]. After saving, the payload is stored on the server. The attacker can then add a victim to the project group—no confirmation from the victim is required—and when the victim accesses the same interface edit page, the malicious script executes in their browser [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the YApi instance. This could lead to session hijacking, exfiltration of API documentation or tokens, or further unauthorized actions within the platform. Since YApi is typically deployed on internal networks for team use, a stored XSS attack can propagate quickly through shared projects [1][3].

Mitigation

Status

As of the latest available references, YApi version 1.9.1 remains vulnerable. The maintainers have been notified through GitHub issues [#2190] and [#2240], but no official patch has been released as of the publication date of this CVE (2023-01-26). Users should consider applying input sanitization on the remarks field, upgrading to a patched version if one becomes available, or restricting edit permissions to trusted users to reduce risk [2][3][4].