CVE-2025-9718 MEDIUM

CVE-2025-9718: O2OA Personal Profile process cross site scripting

Vendor N/A
Product O2OA
Weakness CWE-79 · XSS
Published August 31, 2025
Last update September 2, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."

Key dates

02Disclosure timeline

August 31, 2025 CVE published
September 2, 2025 Record updated