CVE-2025-29691 is a cross-site scripting (XSS) vulnerability identified in the OA System prior to version 2025.01.01. The vulnerability arises from insufficient input validation and output encoding of the userName parameter within the /login/LoginsController.java endpoint. An attacker can craft a malicious payload injected into this parameter, which, when processed by the vulnerable web application, results in the execution of arbitrary web scripts or HTML in the context of the victim's browser session. This type of reflected XSS attack can be leveraged to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The CVSS v3.1 base score of 6.1 (medium severity) reflects that the vulnerability is remotely exploitable over the network without requiring privileges, but it does require user interaction (the victim must visit a crafted URL). The scope is changed (S:C), indicating that exploitation could affect resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of user data. There are no known public exploits in the wild at this time, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which is the standard category for XSS issues. Given the vulnerability affects the login controller, it is particularly sensitive as it may impact authentication workflows and user sessions.

For European organizations using the OA System, this vulnerability poses a risk to user confidentiality and data integrity. Successful exploitation could allow attackers to hijack user sessions, leading to unauthorized access to sensitive information or manipulation of user actions within the system. This could result in data breaches, loss of trust, and potential regulatory non-compliance under GDPR due to exposure of personal data. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into clicking malicious links. The impact is heightened in organizations where the OA System is integrated with critical business processes or contains sensitive corporate data. Additionally, the reflected XSS could be used as a stepping stone for more sophisticated attacks, including privilege escalation or lateral movement within the network if combined with other vulnerabilities.

European organizations should prioritize updating the OA System to version 2025.01.01 or later once available, as this will likely contain the fix for this vulnerability. Until a patch is released, organizations should implement input validation and output encoding on the userName parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. User awareness training to recognize phishing attempts can reduce the risk of exploitation via social engineering. Monitoring web server logs for unusual requests targeting the /login/LoginsController.java endpoint can help detect attempted exploitation. Additionally, implementing multi-factor authentication (MFA) can limit the damage from session hijacking. Regular security assessments and penetration testing focused on web application security should be conducted to identify and remediate similar vulnerabilities proactively.