O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the file '/x_processplatform_assemble_designer/jaxrs/process'. The vulnerability is caused by user input in the 'name' and 'alias' fields, which is not properly sanitized before being saved. This allows for the execution of malicious scripts when the data is viewed later. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the profile, potentially leading to the theft of session tokens or other sensitive information. It could also allow for unauthorized actions to be performed on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_processplatform_assemble_designer/jaxrs/process' endpoint with a payload that includes an image tag (with an invalid image source) in the 'name' and 'alias' fields. This request must include a valid authorization token. Once the payload is stored, it will be executed when the profile is accessed.

Remediation

The vendor has stated that this issue will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storing it, and to ensure proper output encoding when displaying data.