EmpCloud API Exposes Stored XSS Vulnerability in Policy Endpoint

A critical stored cross-site scripting (XSS) vulnerability has been identified in the EmpCloud API, allowing attackers to inject and persistently store malicious JavaScript code within the platform's policy management system. The flaw resides in the `POST /api/v1/policies` endpoint, which accepts and stores raw HTML and JavaScript tags in both the `title` and `content` fields without any sanitization. A proof-of-concept payload, including `<script>alert("XSS")</script>` and `<img src=x onerror=alert(1)>`, was successfully stored and returned verbatim in the API response, confirming the active vulnerability.

The endpoint, `https://test-empcloud-api.empcloud.com/api/v1/policies`, is part of EmpCloud's internal infrastructure for managing organizational policies. The vulnerability is classified as 'stored' or 'persistent' XSS, meaning the malicious script is saved on the server and will execute for any user who later views the compromised policy page. This type of flaw can lead to session hijacking, data theft, or unauthorized actions performed on behalf of legitimate users.

This security lapse exposes any organization using the EmpCloud platform to significant risk. An attacker with knowledge of this flaw could embed malicious code that steals employee session cookies, redirects users to phishing sites, or performs actions within the application without consent. The presence of such a basic vulnerability in a core API endpoint handling policy data raises serious questions about the platform's overall security posture and input validation practices. Immediate remediation, including proper input sanitization or output encoding, is required to prevent exploitation.