CVE-2025-9646 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability arises from improper sanitization of the 'toMonthViewName' parameter within the /x_organization_assemble_personal/jaxrs/definition/calendarConfig endpoint. An attacker can remotely manipulate this parameter to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability enables attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability does not require authentication but does require user interaction (e.g., the victim visiting a crafted URL). The CVSS 4.0 score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity with no impact on availability. The vendor has acknowledged the issue and plans to fix it in a future release, but no patch is currently available. Public exploit code has been released, increasing the risk of exploitation.

For European organizations using O2OA up to version 10.0-410, this vulnerability poses a tangible risk of client-side attacks that can compromise user sessions and data confidentiality. Since O2OA is a collaborative office automation platform, exploitation could lead to unauthorized access to sensitive organizational information, phishing attacks leveraging trusted internal domains, and potential lateral movement if session tokens or credentials are stolen. The medium severity rating indicates that while the vulnerability is not critical, it can be leveraged to undermine user trust and data integrity. The remote exploitability without authentication increases the attack surface, especially in organizations with exposed O2OA instances accessible via the internet or intranet. The lack of a current patch means organizations must rely on mitigations until an official fix is released. This vulnerability could disrupt business operations, damage reputation, and lead to compliance issues under GDPR if personal data is compromised.

European organizations should immediately implement input validation and output encoding controls at the application or web server level to sanitize the 'toMonthViewName' parameter. Web Application Firewalls (WAFs) can be configured with custom rules to detect and block suspicious payloads targeting this parameter. Network segmentation should be enforced to limit access to O2OA instances to trusted internal users only, reducing exposure to external attackers. User awareness training should emphasize caution when clicking on unexpected links, especially those related to calendar or scheduling features. Monitoring and logging of HTTP requests to the affected endpoint should be enhanced to detect exploitation attempts. Organizations should track vendor communications closely and plan for prompt application of the official patch once released. Additionally, consider deploying Content Security Policy (CSP) headers to mitigate the impact of XSS by restricting script execution sources.