CVE-2025-10272 is a cross-site scripting (XSS) vulnerability identified in erjinzhi 10OA version 1.0, specifically within an unspecified function of the /trial/mvc/catalogue file. The vulnerability arises from improper sanitization or validation of the 'Name' argument, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without any authentication or privileges, requiring only user interaction to trigger the malicious payload. The vulnerability has been publicly disclosed, and although no known exploits are currently observed in the wild, the availability of public details increases the risk of exploitation. The vendor has not responded to early notifications, and no patches or mitigations have been provided. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required for exploitation, and limited impact on confidentiality and integrity but low impact on availability. The vulnerability could allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or other malicious activities depending on the victim's interaction with the affected application.

For European organizations using erjinzhi 10OA 1.0, this vulnerability poses a moderate risk. XSS attacks can lead to theft of sensitive user data, session tokens, or unauthorized actions performed on behalf of users. In sectors such as finance, healthcare, or government, where data confidentiality and integrity are paramount, exploitation could result in regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into triggering the exploit. The lack of vendor response and patches increases exposure time. Organizations relying on erjinzhi 10OA for internal or external-facing applications should be aware that attackers might leverage this vulnerability to compromise user accounts or escalate attacks within their networks.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'Name' parameter in the /trial/mvc/catalogue endpoint. Input validation and output encoding should be enforced at the application level, if source code access is available, to sanitize user inputs and prevent script injection. Security teams should monitor web logs for suspicious requests and anomalous user behavior indicative of XSS attempts. User awareness training should emphasize caution when interacting with links or inputs related to the affected application. Additionally, organizations should consider isolating or restricting access to the vulnerable application until a vendor patch or official fix is released. Regular vulnerability scanning and penetration testing focused on XSS vectors can help identify and mitigate exploitation attempts.