Primary

Context

O2OA Cross-Site Scripting Vulnerability in Meetings Settings

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in O2OA version 9.1.3, specifically within the Meetings - Settings section. This vulnerability allows attackers to inject payloads that execute arbitrary web scripts and HTML, exploiting a storage-based XSS flaw.

Impact

Exploitation of this vulnerability allows for storage-based cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into O2OA version 9.1.3 and navigate to the Meetings - Settings section. Inject a payload into the settings and save it. After refreshing the page, the injected script will execute when the Settings button is clicked again.

Remediation

A small version fix is planned for release.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

1.7

exploitability

7.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

1.7

exploitability

7.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

O2OA Cross-Site Scripting Vulnerability in Meetings Settings

Vulnerability

Impact

Reproduction

Remediation

Affected Products

O2OA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating