PT-2025-21248 · Oa System · Oa System
Hailey
·
Published
2025-05-14
·
Updated
2025-05-29
·
CVE-2025-29689
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
OA System versions prior to 2025.01.01
Description:
A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the
password parameter at the "/mail/MailController.java" endpoint.Recommendations:
For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
/mail/MailController.java endpoint to minimize the risk of exploitation.
Avoid using the password parameter in the affected endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oa System