O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the Personal Profile Page component, specifically within the file '/x_program_center/jaxrs/script'. User-supplied input, including the name, alias, and description fields, is not properly sanitized before being saved. This lack of input validation allows for the execution of malicious scripts when the data is later displayed in the application. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for the persistent execution of JavaScript in the context of the victim's browser. This could lead to the theft of session tokens or sensitive user information, as well as the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_program_center/jaxrs/script' endpoint with a payload that includes unsanitized HTML, such as an image tag with an 'onerror' event. Include the necessary authentication tokens in the request headers. Once the payload is stored, it will be executed when the profile is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

The vendor has acknowledged this vulnerability and stated that it will be addressed in a future version. Users are advised to monitor for updates.