O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the Personal Profile Page component, specifically within an unknown function of the file '/x_portal_assemble_designer/jaxrs/widget'. The vulnerability allows for the injection of user-supplied input, such as personal profile details, which is saved without proper sanitization and later displayed in the application. This flaw enables the persistent execution of malicious scripts, potentially leading to the theft of session tokens or sensitive user information, and allowing unauthorized actions to be performed on behalf of authenticated users.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, creating a persistent cross-site scripting issue. This could lead to the execution of malicious scripts that could steal session tokens or sensitive information, and perform actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_portal_assemble_designer/jaxrs/widget' endpoint with a payload that includes malicious JavaScript, such as an image tag (with an invalid image source) using an 'onerror' attribute. The request must include an authorization token and the 'x-token' cookie. Once the payload is stored, it will be executed when the profile is viewed, confirming the cross-site scripting vulnerability.

Remediation

The vendor has stated that this issue will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storing it, and to ensure proper output encoding when rendering data.