CVE-2025-10274 is a cross-site scripting (XSS) vulnerability identified in erjinzhi 10OA version 1.0, specifically within an unspecified functionality of the /trial/mvc/item endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' parameter, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication or privileges, and user interaction is necessary to trigger the malicious payload, consistent with reflected XSS behavior. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user authentication required, but user interaction is needed to execute the attack. The impact primarily affects confidentiality and integrity to a limited extent, as the vulnerability allows execution of arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the affected application. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently observed in the wild, although a public exploit has been released. This increases the risk of exploitation by opportunistic attackers. The erjinzhi 10OA product is an office automation platform, likely used in enterprise environments for workflow and document management, making the vulnerability relevant to organizations relying on this software for internal operations.

For European organizations using erjinzhi 10OA 1.0, this XSS vulnerability poses a moderate risk. Successful exploitation could lead to session hijacking, unauthorized access to sensitive information, or manipulation of user actions within the application, potentially disrupting business processes or exposing confidential data. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure employees into triggering the exploit. The lack of vendor response and patch availability increases exposure duration. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, could face compliance risks if sensitive data is compromised. Additionally, the presence of a public exploit increases the likelihood of targeted or opportunistic attacks, especially in environments where erjinzhi 10OA is integrated into critical workflows.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'Name' parameter in the /trial/mvc/item endpoint. Input validation and output encoding should be enforced at the application level if source code access is available, sanitizing user inputs to neutralize script injection. Organizations should conduct user awareness training to recognize and avoid phishing attempts that could trigger the exploit. Network segmentation can limit exposure of the erjinzhi 10OA application to only trusted internal users. Monitoring and logging web traffic for anomalous requests targeting the vulnerable endpoint can help detect exploitation attempts early. Finally, organizations should engage with the vendor for updates and consider alternative solutions if the vendor remains unresponsive.