CVE-2025-29690
📋 TL;DR
This cross-site scripting (XSS) vulnerability in OA System allows attackers to inject malicious scripts into the outtype parameter, which could lead to session hijacking, data theft, or website defacement. Organizations using OA System versions before v2025.01.01 are affected.
💻 Affected Systems
- OA System
📦 What is this software?
Oa System by Hailey888
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, compromise user accounts, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Attackers could steal session cookies, perform phishing attacks, or deface parts of the application visible to other users.
If Mitigated
With proper input validation and output encoding, the impact would be limited to minor UI disruption with no data compromise.
🎯 Exploit Status
Exploitation requires the attacker to craft a malicious payload and trick a user into visiting a specially crafted URL or submitting a malicious form.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2025.01.01
Vendor Advisory: https://gitee.com/hailey888/oa_system/issues/IBRRX3
Restart Required: Yes
Instructions:
1. Download OA System v2025.01.01 or later from the official repository. 2. Backup current installation. 3. Replace affected files with patched versions. 4. Restart the application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the outtype parameter
Add input validation in AddrController.java to reject or sanitize malicious payloads
Output Encoding
allApply proper output encoding when rendering the outtype parameter in HTML
Use HTML entity encoding for all user-controlled data in output
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable or restrict access to the /address/AddrController.java endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple XSS payload like <script>alert('test')</script> into the outtype parameter and check if it executesCheck Version:
Check the OA System version in the application's admin panel or configuration filesVerify Fix Applied:
After patching, test the same XSS payload to confirm it's properly sanitized or rejected📡 Detection & Monitoring
Log Indicators:
- Unusual outtype parameter values containing script tags or JavaScript code
- Multiple failed attempts with suspicious parameter values
Network Indicators:
- HTTP requests to /address/AddrController.java with encoded script tags in parameters
SIEM Query:
source="web_server" AND uri="/address/AddrController.java" AND (param="outtype" AND value CONTAINS "<script>" OR value CONTAINS "javascript:")