Xinhu Rainrock RockOA Cross-Site Scripting Vulnerability in API Component

A cross-site scripting (XSS) vulnerability has been identified in Xinhu Rainrock RockOA versions through 2.7.1. The issue resides in the API component, specifically within the rockfun.php file. The vulnerability is triggered by manipulating the callback parameter, which is not properly sanitized before being output. This flaw allows remote attackers to inject malicious scripts that are executed in the context of the victim's browser. Although the vendor was notified of this vulnerability, no response was received.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to the theft of cookies or session tokens, or other malicious actions.

Reproduction

To reproduce this vulnerability, send a request to the rockfun.php file in the API component with a crafted callback parameter that includes script tags. The server will respond by executing the injected script in the user's browser.