O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the file '/x_portal_assemble_designer/jaxrs/page'. The vulnerability allows for the injection of malicious scripts that are executed persistently when the profile is viewed. This occurs because user input is not properly sanitized before being stored and later displayed in the application.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive data, and the performance of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_portal_assemble_designer/jaxrs/page' endpoint with a payload that includes a script injection, such as an image tag (with an invalid image source) using an 'onerror' attribute. This payload can be included in fields like 'name', 'alias', and 'description'. After the payload is stored, it will be executed when the profile page is accessed.

Remediation

The vendor has indicated that this issue will be addressed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storage, and to ensure proper output encoding when rendering data.