O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the Personal Profile Page component, specifically within the file '/x_cms_assemble_control/jaxrs/script'. User input for the 'name', 'alias', and 'description' fields is not properly sanitized before being saved, allowing malicious scripts to be executed persistently when the profile is viewed. This vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive information, and the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_cms_assemble_control/jaxrs/script' endpoint with a payload that includes an image tag (with an invalid image source) in the 'name', 'alias', and 'description' fields. Include the necessary authentication token in the request headers. Once the payload is stored, it will be executed when the profile is accessed, demonstrating the cross-site scripting vulnerability.

Remediation

The vendor has indicated that this issue will be addressed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storage, and to ensure proper output encoding when rendering data.