CVE-2025-9719 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in the Personal Profile Page component, within the file /x_processplatform_assemble_designer/jaxrs/script. It arises from improper sanitization or validation of user-controllable input parameters such as name, alias, description, and applicationName. An attacker can manipulate these parameters to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although it does require some user interaction (e.g., the victim visiting a crafted URL or page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability. The vulnerability has been publicly disclosed, and proof-of-concept exploits are available, increasing the risk of exploitation. However, there are no known exploits in the wild at the time of reporting. The vulnerability could allow attackers to steal session cookies, perform actions on behalf of users, or deliver further malicious payloads, potentially leading to account compromise or data leakage within the affected O2OA environment.

For European organizations using O2OA, particularly those deploying version 10.0-410 or earlier, this vulnerability poses a tangible risk to user data confidentiality and integrity. Since O2OA is a collaborative office automation platform, exploitation could lead to unauthorized access to personal profiles and potentially sensitive organizational information. The XSS vulnerability could be leveraged to hijack user sessions, perform phishing attacks, or escalate privileges within the platform. This could disrupt business operations, damage organizational reputation, and lead to regulatory compliance issues under GDPR due to potential personal data exposure. The medium severity score reflects limited direct impact on availability but significant risks to confidentiality and integrity, which are critical for maintaining trust and compliance in European enterprises.

Organizations should prioritize upgrading O2OA to a patched version once available from the vendor. In the interim, implement strict input validation and output encoding on all user-supplied data fields related to name, alias, description, and applicationName within the Personal Profile Page component. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting these parameters. Educate users about the risks of clicking on suspicious links and encourage the use of security-conscious browsing practices. Additionally, review and harden Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of potential XSS exploitation. Regularly monitor logs for unusual activity indicative of exploitation attempts. Finally, conduct thorough security assessments of the O2OA deployment to identify and remediate any other potential injection points.