CVE-2025-9717 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in the Personal Profile Page component, within the file path /x_organization_assemble_control/jaxrs/unit/. It involves improper sanitization or validation of user-supplied input parameters such as name, shortName, distinguishedName, pinyin, pinyinInitial, and levelName. An attacker can manipulate these parameters to inject malicious scripts that execute in the context of a victim's browser. The attack can be launched remotely without requiring authentication, but it does require some user interaction (e.g., victim visiting a crafted URL or page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges required), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L) with no impact on availability. Although no known exploits in the wild have been reported, a public exploit is available, increasing the risk of exploitation. This vulnerability could allow attackers to steal session cookies, perform actions on behalf of users, or conduct phishing attacks by injecting malicious scripts into the affected web pages. Given that O2OA is a collaborative office automation platform, exploitation could lead to unauthorized access to sensitive organizational information or disruption of user workflows.

For European organizations using O2OA, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Attackers exploiting this XSS flaw could hijack user accounts, steal sensitive personal or organizational data, or manipulate displayed content to conduct phishing or social engineering attacks. This is particularly concerning for organizations handling personal data under GDPR, as exploitation could lead to data breaches and regulatory penalties. The vulnerability's ability to be exploited remotely and without high privileges increases the attack surface. Additionally, since O2OA is often used in enterprise environments for collaboration and document management, successful exploitation could disrupt business operations and damage trust in internal communication systems. While the vulnerability does not directly affect system availability or integrity of backend data, the indirect effects on confidentiality and user trust can be significant.

To mitigate this vulnerability, European organizations should prioritize updating O2OA to a patched version once available. In the absence of an official patch, organizations can implement input validation and output encoding on the affected parameters (name, shortName, distinguishedName, pinyin, pinyinInitial, levelName) to neutralize malicious scripts. Web Application Firewalls (WAFs) should be configured to detect and block typical XSS payloads targeting these parameters. Additionally, organizations should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. User awareness training on phishing and suspicious links can reduce the risk of successful exploitation. Regular security assessments and penetration testing focusing on web application inputs can help identify residual injection points. Monitoring logs for unusual requests to the affected endpoint (/x_organization_assemble_control/jaxrs/unit/) can provide early detection of exploitation attempts. Finally, limiting user privileges and session lifetimes can reduce the impact of stolen session tokens.