O2OA Stored Cross-Site Scripting Vulnerability in Calendar Configuration Endpoint

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the calendar configuration endpoint, specifically within the 'toMonthViewName' field, which allows for the injection of arbitrary JavaScript. This injected script is executed when the calendar view is accessed, potentially leading to the theft of session tokens or user credentials, and allowing attackers to perform actions on behalf of the victim, thereby compromising their account.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, which can lead to the theft of session tokens, user credentials, or other sensitive information. Additionally, it enables attackers to perform actions on behalf of the victim, resulting in account compromise and possible privilege escalation.

Reproduction

To reproduce this vulnerability, send a PUT request to the '/x_organization_assemble_personal/jaxrs/definition/calendarConfig' endpoint with a malicious payload in the 'toMonthViewName' field. The injected script will be executed when the affected calendar view is opened, confirming the cross-site scripting vulnerability.

Remediation

The vendor has acknowledged this vulnerability and stated that it will be fixed in a future version.