CVE-2025-9657 is a cross-site scripting (XSS) vulnerability identified in O2OA, an open-source office automation platform, specifically affecting versions up to 10.0-410. The vulnerability exists in the processing of the /x_program_center/jaxrs/script endpoint within the Personal Profile Page component. Attackers can manipulate input parameters such as name, alias, or description to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the payload. The vulnerability is classified as reflected XSS, where the injected script is reflected off the web server in the response. The vendor has acknowledged the issue and indicated that a fix will be included in a forthcoming version. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. There is no evidence of known exploits in the wild yet, but the exploit code has been publicly disclosed, increasing the risk of exploitation. This vulnerability could be leveraged to steal session cookies, perform phishing attacks, or conduct other malicious activities by hijacking user sessions or manipulating web content within the affected application.

For European organizations using O2OA, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to user sessions, data theft, or manipulation of user interactions within the platform. Given that O2OA is used for office automation, including personal profiles and potentially sensitive organizational data, successful attacks could compromise confidentiality and integrity of user data. The reflected XSS could facilitate targeted phishing or social engineering campaigns within organizations, potentially leading to broader compromise. While the vulnerability does not directly impact availability, the indirect effects of compromised user accounts or data leakage could disrupt business operations. The medium CVSS score reflects that while the attack is feasible remotely and without authentication, it requires user interaction, somewhat limiting the scope. However, the public availability of exploit code increases the urgency for mitigation. European organizations with internal or external-facing O2OA deployments should consider this a relevant threat, especially those with high user interaction with the affected component.

Organizations should prioritize updating O2OA to the vendor's forthcoming patched version once released. In the interim, implement strict input validation and output encoding on the affected parameters (name, alias, description) to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize and avoid suspicious links or inputs that could trigger XSS attacks. Review and restrict access to the /x_program_center/jaxrs/script endpoint if feasible, possibly through web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this endpoint. Monitor logs for unusual activity or repeated attempts to exploit this vulnerability. Additionally, consider implementing multi-factor authentication (MFA) to reduce the impact of session hijacking resulting from XSS exploitation. Regular security assessments and penetration testing focusing on web application vulnerabilities will help identify and remediate similar issues proactively.