Jinher OA Cross-Site Scripting Vulnerability in Password Change Action

A reflected cross-site scripting vulnerability has been identified in Jinher OA version 1.0. The issue resides in the POST request handler for the login!changePassWord.action endpoint. The vulnerability is caused by inadequate input sanitization of the 'Account' parameter in POST requests, allowing remote attackers to inject arbitrary JavaScript payloads. These payloads are executed in the context of the victim's browser, triggered by user interactions such as mouse hovers.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the login!changePassWord.action endpoint with a crafted 'Account' parameter that includes JavaScript payloads. The injected script will be executed when the response is viewed in a browser, particularly if the payload is designed to run on mouse hover.

Remediation

It is recommended to implement proper input validation and sanitization for the 'Account' parameter, rejecting inputs that contain HTML or JavaScript syntax. Additionally, user-controlled data should be encoded before being rendered in HTML to prevent script execution.