Hailey

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01 Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `title` parameter at the "/daymanager/daymanageabilitycontroller.java" endpoint. Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/daymanager/daymanageabilitycontroller.java" endpoint to minimize the risk of exploitation. Avoid using the `title` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01 Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `outtype` parameter at the "/address/AddrController.java" endpoint. Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/address/AddrController.java` endpoint to minimize the risk of exploitation. Avoid using the `outtype` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01 Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `title` parameter at the "/inform/InformManageController.java" endpoint. Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/inform/InformManageController.java` endpoint or validating and sanitizing the `title` parameter to prevent malicious input.

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01 Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `password` parameter at the "/mail/MailController.java" endpoint. Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/mail/MailController.java` endpoint to minimize the risk of exploitation. Avoid using the `password` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** hailey888 oa system versions up to 2025.01.01 **Description** A vulnerability was found in the hailey888 oa system, classified as problematic. The issue affects the function Save of the file cn/gson/oasys/controller/mail/MailController.java of the component Backend. The manipulation of the argument `MailNumberId` leads to cross-site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider disabling the Save function of the MailController.java file until a patch is available. Restrict access to the `MailNumberId` argument in the affected Backend component to minimize the risk of exploitation. Avoid using the `MailNumberId` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: hailey888 oa system versions up to 2025.01.01 Description: A vulnerability was found in the hailey888 oa system, affecting the function `addandchangeday` of the file `cn/gson/oass/controller/daymanager/DaymanageController.java` of the component Backend. The manipulation of the argument `scheduleList` leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continuous delivery. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: hailey888 oa system versions up to 2025.01.01 Description: A vulnerability has been found in the function `outAddress` of the file `cn/gson/oass/controller/address/AddrController.java` of the component Backend. The manipulation of the argument `outtype` leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continuous delivery. Therefore, version details for affected and updated releases are not available. Recommendations: As a temporary workaround, consider restricting access to the `outAddress` function of the `AddrController` class until a patch is available. Avoid using the `outtype` argument in the affected Backend component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hailey888 oa system up to 2025.01.01 **Description** A vulnerability was found in hailey888 oa system, affecting the function `loginCheck` of the file `cn/gson/oasys/controller/login/LoginsController.java` of the component Frontend. The manipulation of the argument `Username` leads to cross-site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses continuous delivery with rolling releases, so no version details of affected or updated releases are available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the `loginCheck` function or the `Username` argument in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** hailey888 oa system up to 2025.01.01 **Description** A problematic issue has been found in the Backend component, specifically affecting the `testMess` function of the `InformManageController.java` file. The manipulation of the `menu` argument leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For hailey888 oa system up to 2025.01.01, as a temporary workaround, consider restricting access to the `testMess` function of the `InformManageController.java` file to minimize the risk of exploitation. Additionally, avoid using the `menu` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.