Primary

Context

O2OA Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in O2OA version 9.0.3. The issue arises in the mainOutput() function, where Java reflection can be used to bypass restrictions and execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server where O2OA is running.

Reproduction

To reproduce this vulnerability, log into O2OA version 9.0.3 with the 'xadmin' account. Navigate to the Process Application Management page and create a new process. Add a Script Activity and input a JavaScript exploit that uses reflection to execute a command, such as opening the calculator. Save the process, then log out and log in with a normal account. Create a new process and access the one previously saved to demonstrate that the command was executed.

Added: Aug 27, 2025, 8:22 PM

Updated: Aug 27, 2025, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

O2OA Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

O2OA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating