Key Information Vulnerability Type Stored XSS: Stored Cross-Site Scripting Affected Versions o2oa ≤ 10.0-410-g3d5e0d2 Vulnerability Description In the endpoint of o2oa, user-provided input (such as profile fields) is stored without sanitization and later rendered in the application, leading to persistent execution of malicious scripts. Exploitation Method (POC) Impact Persistent JavaScript execution in the victim's browser Potential leakage of session tokens or sensitive user data Unauthorized operations performed under the authenticated user's identity Mitigation Recommendations Filter and escape user input before storage Ensure proper output encoding when rendering data