CVE-2025-9719 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in the Personal Profile Page component, within the /x_processplatform_assemble_designer/jaxrs/script endpoint. It arises from improper sanitization or validation of user-supplied input parameters such as name, alias, description, and applicationName. An attacker can remotely exploit this flaw by injecting malicious scripts into these parameters, which are then executed in the context of other users' browsers when they access the affected page. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability requires no authentication (PR:L means low privileges, but AT:N means no authentication required) and no user interaction beyond visiting a crafted URL or page containing the malicious payload (UI:P indicates some user interaction is needed, e.g., clicking a link). The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with network attack vector, low attack complexity, no privileges required, partial user interaction, and limited impact on confidentiality and integrity but no impact on availability. Although no public exploit is currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects an unknown code section within the specified endpoint, indicating that the root cause is likely input validation or output encoding failures in the web application’s scripting interface.

For European organizations using O2OA version 10.0-410 or earlier, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to theft of session cookies, credentials, or sensitive personal information. This could facilitate further attacks such as account takeover or lateral movement within the organization. The impact on confidentiality and integrity is partial but significant in environments where O2OA is used for managing personal profiles or sensitive application data. Availability is not affected. Given that the attack can be launched remotely without authentication, any exposed O2OA instances accessible over the internet or internal networks are at risk. European organizations with web-facing O2OA deployments may face reputational damage, regulatory scrutiny under GDPR if personal data is compromised, and operational disruptions if user trust is eroded. The medium severity rating suggests that while this is not a critical vulnerability, it should be addressed promptly to prevent exploitation.

1. Immediate patching or upgrading to a fixed version of O2OA once available is the most effective mitigation. Since no patch links are currently provided, organizations should monitor vendor advisories closely. 2. In the interim, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the name, alias, description, and applicationName parameters, focusing on script tags and common XSS payloads. 3. Conduct a thorough review and hardening of input validation and output encoding mechanisms in the affected endpoint, ensuring all user inputs are properly sanitized and encoded before rendering. 4. Restrict access to the vulnerable endpoint by network segmentation or IP whitelisting to reduce exposure, especially for internet-facing instances. 5. Educate users to be cautious about clicking on suspicious links or interacting with untrusted content related to O2OA. 6. Enable Content Security Policy (CSP) headers on web servers hosting O2OA to limit the execution of unauthorized scripts. 7. Monitor logs and network traffic for signs of attempted exploitation or unusual activity related to the vulnerable parameters.