CVE-2025-10274 is a cross-site scripting (XSS) vulnerability identified in erjinzhi 10OA version 1.0, specifically within an unspecified functionality of the /trial/mvc/item endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' argument, allowing an attacker to inject malicious scripts that execute in the context of a victim's browser. This flaw can be exploited remotely without requiring authentication, and user interaction is necessary to trigger the malicious payload (e.g., by visiting a crafted URL). The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user authentication required. The impact primarily affects the confidentiality and integrity of user data by enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites. The vendor has not responded to disclosure attempts, and no patches or mitigations have been published at this time. Although no exploits are currently known to be active in the wild, the public availability of the exploit code increases the risk of exploitation.

For European organizations using erjinzhi 10OA 1.0, this vulnerability poses a moderate risk. Successful exploitation could lead to session hijacking, unauthorized actions, or data theft via client-side script execution. This is particularly concerning for organizations handling sensitive or personal data, as XSS can facilitate data leakage and undermine user trust. The vulnerability could also be leveraged as a stepping stone for more complex attacks, such as phishing or delivering malware. Given the lack of vendor response and patches, organizations face an increased window of exposure. The impact is heightened in sectors with strict data protection regulations like GDPR, where data breaches can result in significant legal and financial penalties. Additionally, the remote and unauthenticated nature of the attack vector means that attackers can target users without needing internal access, increasing the threat surface.

Organizations should implement immediate compensating controls to mitigate the risk. These include deploying web application firewalls (WAFs) with rules designed to detect and block malicious script injections targeting the vulnerable endpoint. Input validation and output encoding should be enforced at the application level to sanitize the 'Name' parameter, ideally by applying strict whitelisting of allowed characters. Until an official patch is released, consider restricting access to the /trial/mvc/item endpoint via network segmentation or IP whitelisting to limit exposure. Security teams should monitor web logs for suspicious requests containing script tags or unusual payloads targeting the vulnerable parameter. User awareness training should emphasize caution when clicking on unknown links. Finally, organizations should engage with the vendor for updates and consider alternative solutions if the vendor remains unresponsive.