CVE-2025-9715 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified function within the /x_cms_assemble_control/jaxrs/script file, which is part of the Personal Profile Page component. The issue arises from improper sanitization or validation of user-supplied input in the parameters name, alias, or description. An attacker can exploit this flaw by injecting malicious scripts remotely without requiring authentication or privileges, leveraging the vulnerability to execute arbitrary JavaScript in the context of the victim's browser. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details show that the attack is network accessible (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The impact is primarily on confidentiality and integrity, with limited impact on availability. The vendor has acknowledged the issue and plans to fix it in a future release, but no patch is currently available. No known exploits are reported in the wild yet, but proof-of-concept code has been publicly disclosed, increasing the risk of exploitation. This vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or conduct phishing attacks within the affected application environment.

For European organizations using O2OA version 10.0-410 or earlier, this vulnerability poses a tangible risk to user data confidentiality and application integrity. Since the vulnerability allows remote exploitation without authentication, attackers could target employees or customers accessing the Personal Profile Page, potentially hijacking sessions or injecting malicious content that could spread malware or harvest credentials. The impact is heightened in sectors where O2OA is used for sensitive personal or corporate information management, such as government agencies, financial institutions, and healthcare providers. The medium severity rating suggests that while the vulnerability is not immediately critical, it could serve as an entry point for more complex attacks or lateral movement within networks. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to trigger the exploit. The absence of an official patch means organizations must rely on interim mitigations, increasing operational risk. Given the public availability of exploit code, the window for exploitation is open, and European entities should prioritize risk assessment and mitigation to prevent potential data breaches or reputational damage.

1. Implement strict input validation and output encoding on all user-supplied data fields, particularly name, alias, and description parameters within the Personal Profile Page component, to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any successful XSS attempts. 3. Use web application firewalls (WAFs) with updated rules to detect and block common XSS payloads targeting O2OA endpoints. 4. Educate users about the risks of clicking on suspicious links or interacting with untrusted content, as user interaction is required for exploitation. 5. Monitor application logs and network traffic for unusual activities indicative of exploitation attempts. 6. Plan and prioritize upgrading to the fixed version of O2OA once the vendor releases the patch. 7. If immediate patching is not possible, consider temporarily restricting access to the vulnerable Personal Profile Page or applying custom filters to sanitize inputs at the application or proxy level. 8. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities to identify and remediate similar issues proactively.