EmpCloud API Exposes Critical XSS Vulnerability: Announcements Endpoint Stores Raw Script Tags

A critical security flaw in EmpCloud's API allows attackers to inject and store malicious JavaScript code directly into the platform's announcement system. The vulnerability, a classic Cross-Site Scripting (XSS) issue, was discovered in the `POST /api/v1/announcements` endpoint. During testing, raw HTML and JavaScript payloads—including `<script>` tags and `<img>` elements with `onerror` handlers—were submitted and stored by the server without any sanitization, escaping, or encoding. The API's response confirmed the dangerous payloads were saved verbatim, ready to be executed in users' browsers.

The vulnerability is located in the core announcement creation function of the test environment at `test-empcloud-api.empcloud.com`. Attackers could exploit this by crafting announcements with malicious code in the `title` and `content` (description) fields. Since the system fails to strip or encode HTML tags, any user viewing these announcements would have the embedded scripts run in their browser context. This could lead to session hijacking, credential theft, or defacement of the internal platform, depending on the attacker's objectives.

The presence of this unsanitized input storage represents a severe lapse in basic web application security practices for an enterprise cloud service. It signals potential systemic issues in input validation across the EmpCloud platform. While the report is from a test environment, it raises immediate concerns about the security posture of the production API and the risk of similar vulnerabilities existing elsewhere in the codebase. The flaw requires urgent patching to implement proper output encoding or input sanitization before any user data or system integrity is compromised.