CVE-2025-10271 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the erjinzhi 10OA product. The vulnerability arises from improper sanitization or validation of the 'Name' argument within an unspecified function located in the /trial/mvc/finder file. An attacker can remotely manipulate this parameter to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability enables attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector metrics specify that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:P). The impact on confidentiality is none, integrity is low, and availability is none, suggesting that the primary risk is to user trust and session security rather than system compromise or data loss. The vendor was notified early but did not respond or provide a patch, and while no known exploits are currently observed in the wild, the exploit code has been made public, increasing the risk of exploitation. The lack of a patch or vendor response heightens the urgency for organizations using this product to implement mitigations proactively.

For European organizations using erjinzhi 10OA version 1.0, this vulnerability poses a risk primarily to end-users interacting with the affected web application. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, or phishing attacks via malicious script injection. Although the direct impact on system integrity and availability is low, the compromise of user sessions or credentials can lead to broader security incidents, including unauthorized access to sensitive information or internal systems. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, or government, may face compliance risks if user data is compromised or if the vulnerability is exploited to facilitate further attacks. The public availability of exploit code and absence of vendor remediation increase the likelihood of targeted attacks, especially against organizations that rely heavily on this software for internal workflows or customer-facing services.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'Name' parameter in the /trial/mvc/finder endpoint. 2) Conduct input validation and output encoding at the application layer, if source code access is available, to sanitize user inputs and prevent script injection. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Monitor web server logs and application behavior for unusual requests or error patterns indicative of exploitation attempts. 5) Educate users to recognize phishing attempts and suspicious behaviors that may result from XSS attacks. 6) Consider isolating or restricting access to the vulnerable application until a vendor patch or official fix is released. 7) Regularly update and audit all web-facing applications to identify and remediate similar vulnerabilities proactively.