O2OA Stored Cross-Site Scripting Vulnerability in Personal Profile Page Component

A stored cross-site scripting vulnerability has been identified in O2OA versions through 10.0-410. The issue resides in the Personal Profile Page component, specifically within the file '/x_query_assemble_designer/jaxrs/importmodel'. The vulnerability allows for the injection of malicious scripts into the 'description', 'applicationName', and 'queryName' fields, which are then executed when the profile is viewed. This exploitation can be performed remotely.

Impact

Exploitation of this vulnerability allows for the persistent execution of injected JavaScript in the context of the user's browser. This could lead to the theft of session tokens or sensitive information, as well as the execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/x_query_assemble_designer/jaxrs/importmodel' endpoint with a payload that includes malicious scripts in the 'description', 'applicationName', and 'queryName' fields. Once the payload is stored, it will be executed when the profile is accessed.

Remediation

The vendor has indicated that this issue will be addressed in a future version. In the meantime, users are advised to filter and escape input in profile fields before saving, and to properly encode output when displaying data.