O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the '/x_portal_assemble_designer/jaxrs/dict/' endpoint. The vulnerability allows for the injection of malicious scripts into user profile fields, which are then executed when the profile is viewed. This exploitation is possible due to the lack of proper input sanitization before the data is stored and subsequently rendered in the application.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive information, and the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a PUT request to the '/x_portal_assemble_designer/jaxrs/dict/{id}' endpoint with an unescaped payload containing JavaScript, such as an image tag with an 'onerror' event. Once the payload is stored, it will be executed when the profile is accessed.

Remediation

The vendor has stated that this issue will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storage, and to ensure proper output encoding when displaying data.