CVE-2025-9655 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in the Personal Profile Page component, within the file /x_organization_assemble_control/jaxrs/person/. The issue arises from improper sanitization or validation of the 'Description' argument, which an attacker can manipulate to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser when they view the compromised profile page. The vulnerability does not require authentication but does require user interaction (viewing the malicious content). The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed. The impact on confidentiality is none, integrity is low, and availability is none. The vendor has acknowledged the issue and plans to fix it in a future release, but no patch is currently available. There are no known exploits in the wild at this time. XSS vulnerabilities can be leveraged for session hijacking, phishing, or delivering further malware payloads, making them a significant concern in web applications handling sensitive user data.

For European organizations using O2OA, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Since O2OA is a collaborative office automation platform, exploitation could lead to unauthorized actions performed on behalf of users, theft of session cookies, or redirection to malicious sites. This could compromise sensitive corporate information or user credentials. The medium severity score indicates a moderate risk, but the potential for social engineering or chained attacks could elevate the impact. Organizations in sectors with strict data protection regulations, such as GDPR, may face compliance issues if user data is compromised. Additionally, the remote attack vector and lack of required privileges increase the likelihood of exploitation if the vulnerability is not mitigated promptly. The absence of a patch means organizations must rely on interim controls to reduce risk.

European organizations should implement the following specific mitigations: 1) Apply strict input validation and output encoding on the 'Description' field within O2OA, if possible through configuration or custom code, to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform. 3) Monitor and audit user-generated content for suspicious inputs that could exploit this vulnerability. 4) Educate users about the risks of clicking on unexpected links or interacting with untrusted profile pages within O2OA. 5) Isolate the O2OA deployment within a segmented network zone with limited access to sensitive systems. 6) Regularly check for vendor updates and apply the official patch as soon as it is released. 7) Use web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable endpoint. These steps go beyond generic advice by focusing on compensating controls until the vendor patch is available.