CVE-2025-9717 is a cross-site scripting (XSS) vulnerability identified in the O2OA software, specifically affecting versions up to 10.0-410. The vulnerability resides in the Personal Profile Page component, within the file path /x_organization_assemble_control/jaxrs/unit/. The issue arises from improper sanitization or validation of multiple input parameters, including name, shortName, distinguishedName, pinyin, pinyinInitial, and levelName. An attacker can manipulate these parameters to inject malicious scripts that execute in the context of a victim’s browser. The attack vector is remote and does not require authentication, but it does require some user interaction (e.g., the victim visiting a crafted URL or page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vulnerability impacts confidentiality and integrity to a limited extent, as it can be used to steal session cookies, perform actions on behalf of the user, or deface content. Availability impact is negligible. No known exploits are currently reported in the wild, but public exploit code exists, increasing the risk of exploitation. The vulnerability’s ease of exploitation is moderate due to the need for user interaction and the lack of privilege requirements. This vulnerability highlights the importance of input validation and output encoding in web applications to prevent script injection attacks that can compromise user trust and data security.

For European organizations using O2OA version 10.0-410, this vulnerability poses a risk primarily to web application users and administrators. Successful exploitation could lead to session hijacking, unauthorized actions performed under the victim’s credentials, and potential exposure of sensitive personal profile information. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations if personal data is compromised), and potential lateral movement within the affected organization’s network if attackers leverage stolen credentials. The medium severity suggests that while the threat is not critical, it is significant enough to warrant prompt attention, especially in sectors with high data protection requirements such as finance, healthcare, and government institutions. The remote attack vector and public exploit availability increase the urgency for mitigation. Additionally, phishing campaigns leveraging this vulnerability could target European users, amplifying the impact.

1. Immediate patching: Organizations should monitor O2OA vendor communications for official patches or updates addressing CVE-2025-9717 and apply them promptly. 2. Input validation and sanitization: Until patches are available, implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the vulnerable parameters (name, shortName, distinguishedName, pinyin, pinyinInitial, levelName). 3. Content Security Policy (CSP): Deploy strict CSP headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of XSS attacks. 4. User awareness: Educate users about the risks of clicking on suspicious links and encourage cautious behavior to reduce the likelihood of successful exploitation. 5. Logging and monitoring: Enhance logging of web application inputs and monitor for unusual activities or repeated attempts to exploit these parameters. 6. Review and harden authentication mechanisms: Since the vulnerability requires no authentication but user interaction, strengthening multi-factor authentication and session management can limit attacker leverage post-exploitation. 7. Conduct security testing: Perform penetration testing and code reviews focusing on input handling in the affected component to identify and remediate similar issues proactively.