CVE-2025-3391

Name of the Vulnerable Software and Affected Versions: hailey888 oa system versions up to 2025.01.01

Description: A vulnerability has been found in the function outAddress of the file cn/gson/oass/controller/address/AddrController.java of the component Backend. The manipulation of the argument outtype leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continuous delivery. Therefore, version details for affected and updated releases are not available.

Recommendations: As a temporary workaround, consider restricting access to the outAddress function of the AddrController class until a patch is available. Avoid using the outtype argument in the affected Backend component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.