O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue arises in the Personal Profile Page component, specifically within the endpoint '/x_processplatform_assemble_designer/jaxrs/script'. User input for the fields name, alias, description, and applicationName is not properly sanitized before being saved, allowing malicious scripts to be executed persistently when the profile is viewed. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to the theft of session tokens or sensitive information, and the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_processplatform_assemble_designer/jaxrs/script' endpoint with an unsanitized payload in the 'name', 'alias', 'description', and 'applicationName' fields. Once the payload is stored, it will be executed when the profile is accessed, demonstrating the cross-site scripting vulnerability.

Remediation

User input in the profile fields should be filtered and escaped before storage, and proper output encoding should be applied when displaying the data.