CVE-2025-29688
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in OA System allows attackers to inject malicious scripts into the title parameter of the day management controller. This enables session hijacking, credential theft, or content manipulation when users view affected pages. All users of OA System versions before 2025.01.01 are potentially affected.
💻 Affected Systems
- OA System
📦 What is this software?
Oa System by Hailey888
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies or credentials, enabling unauthorized access to sensitive OA system data and functions.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute, limiting impact to attempted exploitation attempts.
🎯 Exploit Status
The vulnerability requires authentication to access the affected endpoint, but once authenticated, exploitation is straightforward with basic XSS payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2025.01.01
Vendor Advisory: https://gitee.com/hailey888/oa_system/issues/IBRRZX
Restart Required: Yes
Instructions:
1. Download OA System v2025.01.01 or later from the official repository. 2. Backup current installation and data. 3. Deploy the updated version following vendor deployment procedures. 4. Restart the application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the title parameter before processing.
Implement regex filtering: /[^a-zA-Z0-9\s\-\_\,\.\!\?]/g
Output Encoding
allApply proper HTML encoding to all user-controlled data before rendering in web pages.
Use HTML entity encoding: < for <, > for >, & for &, " for ", ' for '
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict access to the /daymanager/daymanageabilitycontroller endpoint if not business-critical.
🔍 How to Verify
Check if Vulnerable:
Test by submitting a basic XSS payload like <script>alert('test')</script> to the title parameter and check if it executes when viewing the page.Check Version:
Check application version in admin panel or configuration files; look for version string in web page source.Verify Fix Applied:
After patching, attempt the same XSS payload and verify it's properly sanitized (shows as plain text rather than executing).📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /daymanager/daymanageabilitycontroller with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful access to vulnerable endpoint
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in title parameter
- Outbound connections to suspicious domains from OA System server
SIEM Query:
source="oa_system_logs" AND (uri="/daymanager/daymanageabilitycontroller" AND (param="*<script>*" OR param="*javascript:*"))