O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component
Vulnerability
A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the endpoint '/x_organization_assemble_control/jaxrs/person/{personId}'. The vulnerability allows for the injection of malicious scripts into the 'Description' field, which are then executed when the profile is viewed. This issue can be exploited remotely.
Impact
Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive information, and the execution of unauthorized actions on behalf of the user.
Reproduction
To reproduce this vulnerability, send a PUT request to the '/x_organization_assemble_control/jaxrs/person/{personId}' endpoint, including a malicious payload in the 'Description' field. The injected script will be executed when the profile is accessed.
Remediation
The vendor has indicated that this issue will be addressed in a future version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.