O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the Personal Profile Page component, specifically within the '/x_processplatform_assemble_designer/jaxrs/form' endpoint. User input for the name, alias, and description fields is not properly sanitized before being saved, allowing malicious scripts to be executed persistently when the profile is viewed. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive information, and the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_processplatform_assemble_designer/jaxrs/form' endpoint with an authorization token. Include a payload in the name, alias, and description fields that consists of a script injection, such as an image tag (with an invalid image source) using an 'onerror' attribute. Once the payload is injected, it will be executed when the profile is accessed.

Remediation

The vendor has acknowledged this issue and stated that it will be fixed in a future version. In the meantime, users should manually sanitize and encode user inputs in profile fields before saving them.