Key Information Vulnerability Type Stored XSS: Stored Cross-Site Scripting Affected Versions o2oa ≤ 10.0-410-g3d5e0d2 Vulnerability Description In the endpoint of o2oa, user-provided input (such as profile fields) is stored without serialization and later rendered in the application, leading to persistent execution of malicious scripts. Exploitation Method (POC) Impact Persistent JavaScript execution in victims' browsers Potential theft of session tokens or sensitive user data Unauthorized operations performed under the identity of authenticated users Mitigation Recommendations Filter and escape user input before storing it in profile fields, and ensure proper output encoding when rendering data.