CVE-2025-9716 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified functionality within the file /x_processplatform_assemble_designer/jaxrs/form, which is part of the Personal Profile Page component. The flaw arises from improper sanitization or validation of user-controllable input parameters such as name, alias, or description. An attacker can exploit this by injecting malicious scripts into these parameters, which are then executed in the context of a victim's browser when viewing the affected page. This type of vulnerability can be triggered remotely without requiring authentication, although user interaction (such as visiting a crafted URL or page) is necessary for the script execution. The vendor has acknowledged the issue and indicated that a fix will be included in a forthcoming version. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and resulting in limited integrity impact. There are no known exploits in the wild at the time of publication, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability primarily threatens confidentiality and integrity by enabling script injection, which can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user.

For European organizations using O2OA, particularly those deploying the affected versions, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary scripts in the browsers of users accessing the Personal Profile Page, potentially leading to theft of sensitive information, session tokens, or unauthorized actions within the application. This can undermine user trust and lead to data breaches or compliance violations under regulations such as GDPR. Since O2OA is a collaborative platform often used for enterprise resource planning and office automation, compromised user sessions could result in unauthorized access to internal resources or sensitive corporate data. The remote and unauthenticated nature of the attack vector increases exposure, especially in environments where users access the platform from untrusted networks or where phishing campaigns could be used to lure users into triggering the exploit. However, the requirement for user interaction and the medium severity score suggest that the threat is significant but not critical. Organizations with high user counts or those in regulated sectors should prioritize remediation to prevent potential lateral movement or data exfiltration.

Organizations should immediately inventory their O2OA deployments to identify affected versions (up to 10.0-410). Until the vendor releases the patched version, implement strict input validation and output encoding on the affected endpoints if possible, to neutralize malicious scripts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameters (name, alias, description). Educate users about the risks of clicking on unsolicited links and implement browser security features such as Content Security Policy (CSP) to restrict script execution origins. Monitor logs for unusual activity related to the Personal Profile Page and consider isolating or restricting access to the affected component. Once the vendor patch is available, prioritize timely application of updates. Additionally, conduct penetration testing and vulnerability scanning focused on XSS vectors to ensure no residual vulnerabilities remain. For organizations with strict compliance requirements, document mitigation steps and incident response plans related to this vulnerability.