Key Information Vulnerability Type Stored XSS: Stored Cross-Site Scripting Affected Versions o2oa ≤ 10.0-410-g3d5e0d2 Vulnerability Description In the endpoint of o2oa, user-provided input (such as profile fields) is stored without sanitization and then rendered in the application, leading to persistent execution of malicious scripts. Exploitation Method (POC) Impact Persistent JavaScript execution in victim's browser Potential theft of session tokens or sensitive user data Unauthorized operations performed under authenticated user identity Mitigation Filter and escape user input before storing it in profile fields, and ensure proper output encoding when rendering data.