O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the endpoint '/x_cms_assemble_control/jaxrs/design/appdict'. The vulnerability allows for the injection of malicious scripts that are executed persistently, as user input is stored without proper sanitization and later rendered in the application.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive data, and the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_cms_assemble_control/jaxrs/design/appdict' endpoint with a payload that includes malicious JavaScript, such as an image tag (img) with an 'onerror' event. This payload will be executed when the profile is viewed, confirming the presence of the cross-site scripting vulnerability.

Remediation

The vendor has stated that this issue will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storage, and to ensure proper output encoding when rendering data.