CVE-2025-9658 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified function within the /x_portal_assemble_designer/jaxrs/dict/ path of the Personal Profile Page component. The flaw arises from improper sanitization or validation of user-controllable input parameters such as name, alias, or description. An attacker can manipulate these parameters to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability enables attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious payload (e.g., visiting a crafted URL). The vendor has acknowledged the issue and indicated that a fix will be included in a forthcoming version, but as of the publication date, no patch is available. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity. No known exploits are currently observed in the wild, but proof-of-concept code has been published, increasing the risk of exploitation.

For European organizations using O2OA, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to credential theft, unauthorized actions performed on behalf of users, or distribution of malware. Organizations that rely on O2OA for internal collaboration or personal profile management may experience reputational damage, data leakage, or disruption of user trust. Since exploitation requires user interaction, phishing or social engineering campaigns could be leveraged to increase attack success. The impact is particularly relevant for sectors with sensitive personal or corporate information, such as finance, healthcare, and government institutions within Europe. Additionally, the lack of an immediate patch means organizations must rely on interim mitigations, increasing exposure time. However, the medium severity and limited scope of impact suggest that while the threat is significant, it is not critical, but should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

European organizations should implement several targeted mitigations to reduce risk until an official patch is released. First, apply strict input validation and output encoding on all user-supplied data within O2OA, especially for parameters like name, alias, and description, to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users to recognize and avoid suspicious links or messages that could trigger XSS attacks. Monitor web application logs for unusual requests targeting the vulnerable endpoints. If feasible, restrict access to the affected Personal Profile Page component to trusted internal networks or authenticated users only, reducing exposure. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the specific vulnerable parameters. Finally, maintain close communication with the vendor for timely updates and apply the official patch immediately upon release to fully remediate the vulnerability.