O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the file '/x_query_assemble_designer/jaxrs/stat'. The vulnerability is caused by user input in the 'name', 'alias', 'description', and 'applicationName' fields being saved without proper sanitization. This unsanitized data is later displayed in the application, allowing for the execution of malicious scripts. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the persistent execution of JavaScript in the context of the victim's browser. This could lead to the theft of session tokens or sensitive user information, as well as the unauthorized execution of actions on behalf of authenticated users.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_query_assemble_designer/jaxrs/stat' endpoint with a payload that includes an image tag (with an invalid image source) in the 'name', 'alias', 'description', and 'applicationName' fields. Include the necessary headers and cookies for authentication. Once the payload is stored, it will be executed when the profile is viewed, confirming the cross-site scripting vulnerability.

Remediation

The vendor has stated that this issue will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storing it, and to ensure proper output encoding when displaying data.